1486451 – (CVE-2017-12794) CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page

Bug 1486451 (CVE-2017-12794) - CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page

Summary: CVE-2017-12794 python-django: Possible XSS in traceback section of technical ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2017-12794
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1488764
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-29 19:11 UTC by Pedro Sampaio
Modified:	2021-02-17 01:40 UTC (History)
CC List:	35 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-06-08 03:22:31 UTC
Embargoed:

Attachments	(Terms of Use)
Patch for Django master (9.06 KB, patch) 2017-08-29 19:15 UTC, Pedro Sampaio	no flags	Details \| Diff
Patch for Django 1.11.x (8.21 KB, patch) 2017-08-29 19:16 UTC, Pedro Sampaio	no flags	Details \| Diff
Patch for Django 1.10.x (7.28 KB, patch) 2017-08-29 19:16 UTC, Pedro Sampaio	no flags	Details \| Diff
View All

Description Pedro Sampaio 2017-08-29 19:11:00 UTC

In older versions, HTML autoescaping was disabled in a portion of the
template for the technical 500 debug page. Given the right
circumstances, this allowed a cross-site scripting attack. This
vulnerability shouldn't affect most production sites since you shouldn't
run with ``DEBUG = True`` (which makes this page accessible) in your
production settings.

Affected versions
=================

* Django master development branch
* Django 1.11
* Django 1.10

Django 1.8 is unaffected and Django 1.9 reached end-of-life in April 2017.

Comment 1 Pedro Sampaio 2017-08-29 19:15:27 UTC

Created attachment 1319747 [details]
Patch for Django master

Comment 2 Pedro Sampaio 2017-08-29 19:16:08 UTC

Created attachment 1319748 [details]
Patch for Django 1.11.x

Comment 3 Pedro Sampaio 2017-08-29 19:16:38 UTC

Created attachment 1319749 [details]
Patch for Django 1.10.x

Comment 4 Andrej Nemec 2017-09-06 07:55:28 UTC

External References:

https://www.djangoproject.com/weblog/2017/sep/05/security-releases/

Comment 5 Andrej Nemec 2017-09-06 07:56:05 UTC

Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1488764]

Note You need to log in before you can comment on or make changes to this bug.

apevec
bcourt
bkearney
cbillett
chrisw
gmollett
hvyas
jakub.dornak
jal233
jjoyce
jmatthew
jschluet
kbasil
lhh
lpeer
markmc
mburns
mhroncok
michel
mmccune
mrike
mrunge
ohadlevy
rbryant
rhos-maint
sclewis
security-response-team
sgallagh
sisharma
slinaber
smooge
srevivo
tdecacqu
tomckay
tsanders