[1.11.x] Fixed CVE-2017-12794 -- Fixed XSS possibility in traceback section of technical 500 debug page.

This is a security fix.
2025-10-31 09:41:08 +00:00 · 2017-08-02 16:22:35 -04:00
parent 56c445295d
commit e35a0c5608
4 changed files with 34 additions and 17 deletions
--- a/docs/releases/1.10.8.txt
+++ b/docs/releases/1.10.8.txt
@@ -5,3 +5,12 @@ Django 1.10.8 release notes
 *September 5, 2017*

 Django 1.10.8 fixes a security issue in 1.10.7.
+
+CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page
+=============================================================================
+
+In older versions, HTML autoescaping was disabled in a portion of the template
+for the technical 500 debug page. Given the right circumstances, this allowed
+a cross-site scripting attack. This vulnerability shouldn't affect most
+production sites since you shouldn't run with ``DEBUG = True`` (which makes
+this page accessible) in your production settings.
--- a/docs/releases/1.11.5.txt
+++ b/docs/releases/1.11.5.txt
@@ -6,6 +6,15 @@ Django 1.11.5 release notes

 Django 1.11.5 fixes a security issue and several bugs in 1.11.4.

+CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page
+=============================================================================
+
+In older versions, HTML autoescaping was disabled in a portion of the template
+for the technical 500 debug page. Given the right circumstances, this allowed
+a cross-site scripting attack. This vulnerability shouldn't affect most
+production sites since you shouldn't run with ``DEBUG = True`` (which makes
+this page accessible) in your production settings.
+
 Bugfixes
 ========