Bug 1486451 (CVE-2017-12794) - CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page
Summary: CVE-2017-12794 python-django: Possible XSS in traceback section of technical ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-12794
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1488764
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-29 19:11 UTC by Pedro Sampaio
Modified: 2021-02-17 01:40 UTC (History)
35 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:22:31 UTC


Attachments (Terms of Use)
Patch for Django master (9.06 KB, patch)
2017-08-29 19:15 UTC, Pedro Sampaio
no flags Details | Diff
Patch for Django 1.11.x (8.21 KB, patch)
2017-08-29 19:16 UTC, Pedro Sampaio
no flags Details | Diff
Patch for Django 1.10.x (7.28 KB, patch)
2017-08-29 19:16 UTC, Pedro Sampaio
no flags Details | Diff

Description Pedro Sampaio 2017-08-29 19:11:00 UTC
In older versions, HTML autoescaping was disabled in a portion of the
template for the technical 500 debug page. Given the right
circumstances, this allowed a cross-site scripting attack. This
vulnerability shouldn't affect most production sites since you shouldn't
run with ``DEBUG = True`` (which makes this page accessible) in your
production settings.

Affected versions
=================

* Django master development branch
* Django 1.11
* Django 1.10

Django 1.8 is unaffected and Django 1.9 reached end-of-life in April 2017.

Comment 1 Pedro Sampaio 2017-08-29 19:15:27 UTC
Created attachment 1319747 [details]
Patch for Django master

Comment 2 Pedro Sampaio 2017-08-29 19:16:08 UTC
Created attachment 1319748 [details]
Patch for Django 1.11.x

Comment 3 Pedro Sampaio 2017-08-29 19:16:38 UTC
Created attachment 1319749 [details]
Patch for Django 1.10.x

Comment 4 Andrej Nemec 2017-09-06 07:55:28 UTC
External References:

https://www.djangoproject.com/weblog/2017/sep/05/security-releases/

Comment 5 Andrej Nemec 2017-09-06 07:56:05 UTC
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1488764]


Note You need to log in before you can comment on or make changes to this bug.