VDB
ALPINE-CVE-2017-12794
ALPINE-CVE-2017-12794
PUBLISHED
CVSS 6.099999904632568 MEDIUM
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
Risk Scores
CVSS 3.0
6.099999904632568
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.12 | py3-django | 1.6.5-r0, 1.5.8-r0, 1.5.7-r0 |
| Alpine:v3.6 | py-django | 1.11-r0, 0, 1.8.8-r0 |
| Alpine:v3.10 | py-django | 1.6.6-r0, 1.7-r0, 1.8-r0 |
| Alpine:v3.11 | py3-django | 1.5.6-r0, 1.10.5-r0, 1.2.5-r0 |
| Alpine:v3.9 | py-django | 0, 1.8.8-r0, 1.8.7-r0 |
| Alpine:v3.7 | py-django | 1.6.6-r0, 0, 1.10.5-r0 |
| Alpine:v3.8 | py-django | 1.6.6-r0, 1.10.5-r0, 1.10.7-r0 |
Exploit Intelligence
- Nuclei Template: CVE-2017-12794 (nuclei-template)
Timeline
- Sep 7, 2017 CVE Published
- Apr 30, 2026 Distribution Patch
- Jun 15, 2026 CVE Updated