Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-12794

Опубликовано: 05 сент. 2017
Источник: redhat
CVSS3: 4

Описание

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ceph Storage 1.3DjangoNot affected
Red Hat Ceph Storage 2python-djangoNot affected
Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)python-djangoNot affected
Red Hat Enterprise Linux OpenStack Platform 6 (Juno)python-djangoNot affected
Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)python-djangoNot affected
Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational Toolspython-djangoNot affected
Red Hat OpenStack Platform 10 (Newton)python-djangoNot affected
Red Hat OpenStack Platform 10 (Newton) Operational Toolspython-djangoNot affected
Red Hat OpenStack Platform 11 (Ocata)python-djangoNot affected
Red Hat OpenStack Platform 12 (Pike)python-djangoNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1486451python-django: Possible XSS in traceback section of technical 500 debug page

4 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2017-12794

CVSS3: 6.1
ubuntu
почти 8 лет назад

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

nvd логотип

CVE-2017-12794

CVSS3: 6.1
nvd
почти 8 лет назад

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

debian логотип

CVE-2017-12794

CVSS3: 6.1
debian
почти 8 лет назад

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoesca ...

github логотип

GHSA-9r8w-6x8c-6jr9

CVSS3: 6.1
github
больше 6 лет назад

Django vulnerable to XSS on 500 pages

fstec логотип

BDU:2019-04056

CVSS3: 6.1
fstec
почти 8 лет назад

Уязвимость функции авто-экранирования HTML библиотеки Django для языка программирования Python, позволяющая нарушителю осуществлять межсайтовые сценарные атаки

4 Medium

CVSS3