Search for packages
| purl | pkg:pypi/django@1.10.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-w5zz-sb5k-aaan
Aliases: CVE-2017-12794 GHSA-9r8w-6x8c-6jr9 PYSEC-2017-44 |
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings. |
Affected by 11 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-wvz5-nmre-aaaj
Aliases: CVE-2017-7234 GHSA-h4hv-m4h4-mhwg PYSEC-2017-10 |
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability. |
Affected by 12 other vulnerabilities. Affected by 19 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||