Django 1.11.5 and 1.10.8 have been released, the two versions of the main solution to a number of security issues, as follows:
CVE-2017-12794: XSS attacks may occur in the drill-down part of the 500 debug page
- In the old version, the HTML auto-conversion was disabled in the template section of the 500 debug page. In the appropriate case, this will lead to cross-site scripting attacks. This vulnerability should not affect most sites because you will not be set in the production environment,
DEBUG = Truewhich makes this page accessible.
- Django master development branch
- Django 1.11
- Django 1.10
According to the official version of the support program, now no longer support Django 1.9, Django 1.8 is not affected.
For specific solutions, please refer to the release notes, it is recommended that users upgrade as soon as possible.