CVE-2020-25626
MEDIUMDjango REST Framework < 3.12.0 and < 3.11.2 - Cross-Site Scripting in Browseable API Viewer
Title source: llmDescription
A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.
References (3)
Core 3
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1878635
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20201016-0003/
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5186
Scores
CVSS v3
6.1
EPSS
0.0072
EPSS Percentile
72.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-20
CWE-79
Status
published
Products (4)
debian/debian_linux
11.0
encode/django_rest_framework
< 3.12.0
pypi/djangorestframework
0 - 3.11.2PyPI
redhat/ceph_storage
2.0
Published
Sep 30, 2020
Tracked Since
Feb 18, 2026