Cross-Site Scripting Vulnerability in Django REST Framework by Django
CVE-2020-25626

6.1MEDIUM

Key Information:

Vendor

Encode

Status
Django Rest Framework
Vendor
CVE Published:
30 September 2020

What is CVE-2020-25626?

An issue has been identified in Django REST Framework prior to version 3.12.0 and 3.11.2 where the browseable API viewer does not adequately escape certain user-controlled strings. This deficiency can lead to the injection of malicious tags, thereby creating a potential vector for cross-site scripting attacks. When exploited, this vulnerability could allow attackers to execute arbitrary scripts in a user's browser, potentially compromising the integrity and confidentiality of user data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Django REST Framework All django-rest-framework versions before 3.12.0 and before 3.11.2

References

https://bugzilla.redhat.com/show_bug.cgi?id=1878635
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20201016-0003/
x_refsource_CONFIRM
https://www.debian.org/security/2022/dsa-5186
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.