From 7824f40d6ab2be1abb9bbfd197d01547e7fa1d02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Zaj=C4=85c?= Date: Fri, 19 Jul 2024 08:02:13 +0200 Subject: [PATCH 1/2] Removing unneccessary text from template description --- http/cves/2017/CVE-2017-12794.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/cves/2017/CVE-2017-12794.yaml b/http/cves/2017/CVE-2017-12794.yaml index e601acc5ff..a403f32cb9 100644 --- a/http/cves/2017/CVE-2017-12794.yaml +++ b/http/cves/2017/CVE-2017-12794.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: medium description: | - Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allows a cross-site scripting attack. This vulnerability shouldn't affect most production sites since run with "DEBUG = True" is not on by default (which is what makes the page visible). + Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allows a cross-site scripting attack. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. remediation: | @@ -51,4 +51,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100efedfed019372fabd4ec462ca8128065b5c74513db3e9e565a9f74f45b7714c802206c5fe554f4a89a675c078661b0ad020fd9ccad466d1ecd821a5632bbc74749ba:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100efedfed019372fabd4ec462ca8128065b5c74513db3e9e565a9f74f45b7714c802206c5fe554f4a89a675c078661b0ad020fd9ccad466d1ecd821a5632bbc74749ba:922c64590222798bb761d5b6d8e72950 From c7e277bdb6aae105b6528f70d11d226ad1b82995 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Zaj=C4=85c?= Date: Fri, 19 Jul 2024 08:04:01 +0200 Subject: [PATCH 2/2] Removing unneccessary text from template description --- http/cves/2017/CVE-2017-12794.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2017/CVE-2017-12794.yaml b/http/cves/2017/CVE-2017-12794.yaml index a403f32cb9..310a39e82a 100644 --- a/http/cves/2017/CVE-2017-12794.yaml +++ b/http/cves/2017/CVE-2017-12794.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: medium description: | - Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allows a cross-site scripting attack. + Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. We detected that right circumstances (DEBUG=True) are present to allow a cross-site scripting attack. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. remediation: |