Cross-Site Scripting (XSS) Vulnerability in Django Debug Page

Cross-Site Scripting (XSS) Vulnerability in Django Debug Page

CVE-2017-12794 · MEDIUM Severity

AV:N/AC:M/AU:N/C:N/I:P/A:N

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

Learn more about our Api Penetration Testing.