XSS Vulnerability in Django REST Framework Before Version 3.9.1
CVE-2018-25045

6.1MEDIUM

Key Information:

Vendor

Django-rest-framework

Status
Django Rest Framework
Vendor
CVE Published:
23 July 2022

What is CVE-2018-25045?

The Django REST Framework prior to version 3.9.1 is susceptible to cross-site scripting (XSS) attacks. This vulnerability arises due to the default settings of the DRF Browsable API, which do not enable autoescaping for the view templates. Consequently, attackers can exploit this flaw to inject malicious scripts, potentially compromising user data and application integrity. It is crucial for developers using Django REST Framework to upgrade to the latest version to safeguard their applications against such threats.

References

https://github.com/encode/django-rest-framework/pull/6191
x_refsource_MISC
https://github.com/encode/django-rest-framework/pull/6330
x_refsource_MISC
https://github.com/encode/django-rest-framework/commit/4b...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.