CVE-2017-12794
CVE-2017-12794
Vexday Risk Score
23Low
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Functional exploit
Automatable exploit available (Nuclei/Metasploit).
CVSS —EPSS 23.6%KEV nãoPoC —Nuclei simMetasploit —Patch referenciado
Lifecycle
07 Sep 2017Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
Affected products
n/a · n/a