PYSEC-2017-44 — Vulnetix

PYSEC-2017-44 PUBLISHED CVSS 9.300000190734863 CRITICAL

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	django	1.11, 1.10, 1.10.1

Timeline

Sep 7, 2017 CVE Published
Nov 8, 2023 CVE Updated

References

https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ article
http://www.securitytracker.com/id/1039264 url
http://www.securityfocus.com/bid/100643 url
https://github.com/advisories/GHSA-9r8w-6x8c-6jr9 advisory
https://usn.ubuntu.com/3559-1/ advisory

Open in Interactive Console →