CVE-2020-25626

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Django REST Framework versions prior to 3.12.0 Django REST Framework versions prior to 3.11.2

Description A flaw in Django REST Framework allows for a cross-site-scripting (XSS) issue when using the browseable API viewer. The framework fails to properly escape certain strings from user input, enabling a user who controls those strings to inject malicious script tags.

Recommendations For versions prior to 3.12.0, update to version 3.12.0 or later to resolve the issue. For versions prior to 3.11.2, update to version 3.11.2 or later to resolve the issue. As a temporary workaround, consider disabling the browseable API viewer until a patch is available.

Fix

XSS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-20

Related Identifiers

CVE-2020-25626

DSA-5186-1

GHSA-FX83-3PH3-9J2Q

OPENSUSE-SU-2021:0322-1

OPENSUSE-SU-2021:0338-1

OPENSUSE-SU-2021_0322-1

OPENSUSE-SU-2024:11227-1

OPENSUSE-SU-2024:13861-1

PYSEC-2020-263

Affected Products

Django Rest Framework

Suse

CVE-2020-25626

Weakness Enumeration

Related Identifiers

Affected Products

References · 22