From 58e08e80e362db79eb0fd775dc81faad90dca47a Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Wed, 2 Aug 2017 16:22:35 -0400 Subject: [1.10.x] Fixed CVE-2017-12794 -- Fixed XSS possibility in traceback section of technical 500 debug page. This is a security fix. --- docs/releases/1.10.8.txt | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'docs') diff --git a/docs/releases/1.10.8.txt b/docs/releases/1.10.8.txt index 160e555fef..3785e6535a 100644 --- a/docs/releases/1.10.8.txt +++ b/docs/releases/1.10.8.txt @@ -5,3 +5,12 @@ Django 1.10.8 release notes *September 5, 2017* Django 1.10.8 fixes a security issue in 1.10.7. + +CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page +============================================================================= + +In older versions, HTML autoescaping was disabled in a portion of the template +for the technical 500 debug page. Given the right circumstances, this allowed +a cross-site scripting attack. This vulnerability shouldn't affect most +production sites since you shouldn't run with ``DEBUG = True`` (which makes +this page accessible) in your production settings. -- cgit v1.3