Medium severity6.1NVD Advisory· Published Sep 7, 2017· Updated May 13, 2026
CVE-2017-12794
CVE-2017-12794
Description
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.10a1, < 1.10.8 | 1.10.8 |
DjangoPyPI | >= 1.11a1, < 1.11.5 | 1.11.5 |
Affected products
13cpe:2.3:a:djangoproject:django:1.11.0:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:djangoproject:django:1.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.11.4:*:*:*:*:*:*:*
Patches
2e35a0c560869https://github.com/django/djangovia ghsa
58e08e80e362https://github.com/django/djangovia ghsa
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- www.djangoproject.com/weblog/2017/sep/05/security-releases/nvdPatchVendor Advisory
- www.securityfocus.com/bid/100643nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039264nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-9r8w-6x8c-6jr9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-12794ghsaADVISORY
- github.com/django/django/commit/58e08e80e362db79eb0fd775dc81faad90dca47aghsaWEB
- github.com/django/django/commit/e35a0c56086924f331e9422daa266e907a4784ccghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2017-44.yamlghsaWEB
- usn.ubuntu.com/3559-1ghsaWEB
- web.archive.org/web/20170927072701/http://www.securitytracker.com/id/1039264ghsaWEB
- web.archive.org/web/20200227150819/http://www.securityfocus.com/bid/100643ghsaWEB
- www.djangoproject.com/weblog/2017/sep/05/security-releasesghsaWEB
- usn.ubuntu.com/3559-1/nvd
News mentions
0No linked articles in our index yet.