CVE-2018-25045
MEDIUMdjango-rest-framework < 3.9.1 - Cross-Site Scripting via Browsable API View Templates
Title source: llmDescription
Django REST framework (aka django-rest-framework) before 3.9.1 allows XSS because the default DRF Browsable API view templates disable autoescaping.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://github.com/encode/django-rest-framework/pull/6191
Third Party Advisory x_refsource_misc
https://github.com/encode/django-rest-framework/pull/6330
Patch, Third Party Advisory x_refsource_misc
https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8
Scores
CVSS v3
6.1
EPSS
0.0060
EPSS Percentile
44.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
django-rest-framework/django_rest_framework
< 3.9.1
pypi/django-rest-framework
0 - 3.9.1PyPI
Published
Jul 23, 2022
Tracked Since
Feb 18, 2026