CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page
(updated )
HTML auto-escaping was disabled in a portion of the template for the technical debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn’t affect most production sites since you shouldn’t run with DEBUG = True
(which makes this page accessible) in your production settings.
References
Detect and mitigate CVE-2017-12794 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →