[3.6] py-django: Possible XSS in traceback section of technical 500 debug page (CVE-2017-12794)
In older versions, HTML autoescaping was disabled in a portion of the
template for the technical 500 debug page.
Given the right circumstances, this allowed a cross-site scripting
attack. This vulnerability shouldn’t affect most
production sites since you shouldn’t run with DEBUG = True (which makes
this page accessible) in your production settings.
Affected versions:
Django master development branch
Django 1.11
Django 1.10
References:
https://www.djangoproject.com/weblog/2017/sep/05/security-releases/
(from redmine: issue id 7815, created on 2017-09-11, closed on 2018-08-02)