summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2017-08-02 16:22:35 -0400
committerTim Graham <timograham@gmail.com>2017-09-05 11:19:56 -0400
commit58e08e80e362db79eb0fd775dc81faad90dca47a (patch)
tree648f39c93bf68c965dc7664914d12b9ba9a99287 /docs
parentfba3c96a7409eb44f30f8e3aa78a642ae8b86641 (diff)
[1.10.x] Fixed CVE-2017-12794 -- Fixed XSS possibility in traceback section of technical 500 debug page.
This is a security fix.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.10.8.txt9
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/releases/1.10.8.txt b/docs/releases/1.10.8.txt
index 160e555fef..3785e6535a 100644
--- a/docs/releases/1.10.8.txt
+++ b/docs/releases/1.10.8.txt
@@ -5,3 +5,12 @@ Django 1.10.8 release notes
*September 5, 2017*
Django 1.10.8 fixes a security issue in 1.10.7.
+
+CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page
+=============================================================================
+
+In older versions, HTML autoescaping was disabled in a portion of the template
+for the technical 500 debug page. Given the right circumstances, this allowed
+a cross-site scripting attack. This vulnerability shouldn't affect most
+production sites since you shouldn't run with ``DEBUG = True`` (which makes
+this page accessible) in your production settings.