Описание
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
| Релиз | Статус | Примечание |
|---|---|---|
| artful | released | 1:1.11.4-1ubuntu1.1 |
| devel | not-affected | 1:1.11.9-1ubuntu1 |
| esm-infra-legacy/trusty | not-affected | |
| esm-infra/xenial | not-affected | |
| precise/esm | DNE | |
| trusty | not-affected | |
| trusty/esm | not-affected | |
| upstream | released | 1:1.11.5-1 |
| vivid/ubuntu-core | DNE | |
| xenial | not-affected |
Показывать по
EPSS
4.3 Medium
CVSS2
6.1 Medium
CVSS3
Связанные уязвимости
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoesca ...
Уязвимость функции авто-экранирования HTML библиотеки Django для языка программирования Python, позволяющая нарушителю осуществлять межсайтовые сценарные атаки
EPSS
4.3 Medium
CVSS2
6.1 Medium
CVSS3