CVE-2020-25626

CWE-20 — Improper Input Validation CWE-79 — Cross-site Scripting (XSS)CWE-77 — Command Injection8 documents7 sources

Severity

6.1MEDIUM

EPSS

0.7%

top 27.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Encode Django Rest Framework Debian Debian Linux Redhat Ceph Storage

Timeline

PublishedSep 30

Latest updateMar 19

Description

A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious tags, leading to a cross-site-scripting (XSS) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶PyPIdjangorestframework< 3.11.2

▶NVDencode/django_rest_framework< 3.12.0

▶Debiandjangorestframework< 3.12.1-1+3

▶CVEListV5django_rest_frameworkAll django-rest-framework versions before 3.12.0 and before 3.11.2

▶NVDredhat/ceph_storage2.0

Also affects: Debian Linux 11.0

🔴Vulnerability Details

GHSA

Cross-site Scripting (XSS) in Django REST Framework↗2021-03-19

▶

OSV

Cross-site Scripting (XSS) in Django REST Framework↗2021-03-19

▶

OSV

CVE-2020-25626: A flaw was found in Django REST Framework versions before 3↗2020-09-30

▶

CVEList

CVE-2020-25626: A flaw was found in Django REST Framework versions before 3↗2020-09-30

▶

📋Vendor Advisories

Red Hat

django-rest-framework: XSS Vulnerability in API viewer↗2020-09-30

▶

Debian

CVE-2020-25626: djangorestframework - A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11...↗2020

▶

💬Community

Bugzilla

CVE-2020-25626 django-rest-framework: XSS Vulnerability in API viewer↗2020-09-14

▶