CVE-2017-12794 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2017-12794 Interim 1 31 2025-11-05T03:53:01Z current 2021-05-30T14:00:12Z 2025-11-05T03:53:01Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2017-12794 In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2018-April/003895.html E-Mail link for SUSE-SU-2018:0973-1 https://lists.suse.com/pipermail/sle-security-updates/2018-April/003965.html E-Mail link for SUSE-SU-2018:1102-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OGS4NP24275NERRPQV6A6EONV6W3C2SK/ E-Mail link for openSUSE-SU-2023:0077-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Enterprise Storage 2.1 SUSE Enterprise Storage 3 SUSE Enterprise Storage 4 SUSE OpenStack Cloud 6 SUSE OpenStack Cloud 7 SUSE Package Hub 12 SUSE Package Hub 12 SP1 openSUSE Tumbleweed python-Django python-Django-1.11.10-5.1 python-Django-1.11.15-2.1 python-Django-1.8.19-3.4.1 python-Django-1.8.19-3.6.1 python310-Django-4.2.11-2.1 python310-Django4-4.2.14-1.1 python311-Django-4.2.11-2.1 python311-Django4-4.2.14-1.1 python312-Django-4.2.11-2.1 python312-Django4-4.2.14-1.1 python36-Django-3.2.7-2.3 python38-Django-3.2.7-2.3 python39-Django-3.2.7-2.3 python-Django-1.8.19-3.6.1 as a component of SUSE OpenStack Cloud 6 python-Django-1.8.19-3.4.1 as a component of SUSE OpenStack Cloud 7 python-Django-1.11.10-5.1 as a component of SUSE Package Hub 12 python-Django-1.11.15-2.1 as a component of SUSE Package Hub 12 SP1 python310-Django-4.2.11-2.1 as a component of openSUSE Tumbleweed python310-Django4-4.2.14-1.1 as a component of openSUSE Tumbleweed python311-Django-4.2.11-2.1 as a component of openSUSE Tumbleweed python311-Django4-4.2.14-1.1 as a component of openSUSE Tumbleweed python312-Django-4.2.11-2.1 as a component of openSUSE Tumbleweed python312-Django4-4.2.14-1.1 as a component of openSUSE Tumbleweed python36-Django-3.2.7-2.3 as a component of openSUSE Tumbleweed python38-Django-3.2.7-2.3 as a component of openSUSE Tumbleweed python39-Django-3.2.7-2.3 as a component of openSUSE Tumbleweed python-Django as a component of SUSE Enterprise Storage 2.1 python-Django as a component of SUSE Enterprise Storage 3 python-Django as a component of SUSE Enterprise Storage 4 In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings. CVE-2017-12794 SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1 SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1 SUSE Package Hub 12:python-Django-1.11.10-5.1 SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1 openSUSE Tumbleweed:python310-Django-4.2.11-2.1 openSUSE Tumbleweed:python310-Django4-4.2.14-1.1 openSUSE Tumbleweed:python311-Django-4.2.11-2.1 openSUSE Tumbleweed:python311-Django4-4.2.14-1.1 openSUSE Tumbleweed:python312-Django-4.2.11-2.1 openSUSE Tumbleweed:python312-Django4-4.2.14-1.1 openSUSE Tumbleweed:python36-Django-3.2.7-2.3 openSUSE Tumbleweed:python38-Django-3.2.7-2.3 openSUSE Tumbleweed:python39-Django-3.2.7-2.3 SUSE Enterprise Storage 2.1:python-Django SUSE Enterprise Storage 3:python-Django SUSE Enterprise Storage 4:python-Django moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N