{"id":"CVE-2017-12794","details":"In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.","aliases":["GHSA-9r8w-6x8c-6jr9","PYSEC-2017-44"],"modified":"2026-04-10T03:44:12.006364Z","published":"2017-09-07T13:29:00.467Z","related":["SUSE-SU-2018:0973-1","SUSE-SU-2018:1102-1","openSUSE-SU-2018:0632-1","openSUSE-SU-2023:0077-1","openSUSE-SU-2024:11205-1","openSUSE-SU-2024:13887-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2026:10005-1"],"references":[{"type":"WEB","url":"https://usn.ubuntu.com/3559-1/"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/100643"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1039264"},{"type":"FIX","url":"https://www.djangoproject.com/weblog/2017/sep/05/security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"0"},{"last_affected":"bd97496d07466f3a940e2fcc114b540ca01cd340"},{"introduced":"0"},{"last_affected":"e99ebfcc140a5f794e259994f9252cb440459143"},{"introduced":"0"},{"last_affected":"46b40274dd44921f72a59771ecb3d2b2c7b3aa0b"},{"introduced":"0"},{"last_affected":"4c047e90b62529681dc691bc935036108d6b0324"},{"introduced":"0"},{"last_affected":"6157cd6da1b27716e8f3d1ed692a6e33d970ae46"},{"introduced":"0"},{"last_affected":"320ec4ed27c254a87e09a70601b1b27ae0a0456e"},{"introduced":"0"},{"last_affected":"e75c188d1cd4ddae2726fe6db001f9e9d693b032"},{"introduced":"0"},{"last_affected":"2a0d8ae9bd8b0e6f7df4ca060bb072b9b79594e1"},{"introduced":"0"},{"last_affected":"ce4edd260bfa790418eea7de0112ce7c16feb304"},{"introduced":"0"},{"last_affected":"e793a93bef6408274c81ecf8f39f6549afd3608f"},{"introduced":"0"},{"last_affected":"1a34dfcf797640d5d580d261694cb54e6f97c552"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.10.1"},{"introduced":"0"},{"last_affected":"1.10.2"},{"introduced":"0"},{"last_affected":"1.10.3"},{"introduced":"0"},{"last_affected":"1.10.4"},{"introduced":"0"},{"last_affected":"1.10.5"},{"introduced":"0"},{"last_affected":"1.10.6"},{"introduced":"0"},{"last_affected":"1.10.7"},{"introduced":"0"},{"last_affected":"1.11.1"},{"introduced":"0"},{"last_affected":"1.11.2"},{"introduced":"0"},{"last_affected":"1.11.3"},{"introduced":"0"},{"last_affected":"1.11.4"}]}}],"versions":["1.0","1.1","1.10","1.10.1","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.10.7","1.10a1","1.10b1","1.10rc1","1.11","1.11.1","1.11.2","1.11.3","1.11.4","1.11a1","1.11b1","1.11rc1","1.2","1.2.1","1.3","1.4","1.7a2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.11.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12794.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}