CVE-2020-25626 – djangorestframework

Package

Manager: pip
Name: djangorestframework
Vulnerable Version: >=0 <3.11.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00842 pctl0.73886

Details

Cross-site Scripting (XSS) in Django REST Framework A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.

Metadata

Created: 2021-03-19T21:32:47Z
Modified: 2024-09-20T14:56:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-fx83-3ph3-9j2q/GHSA-fx83-3ph3-9j2q.json
CWE IDs: ["CWE-20", "CWE-79"]
Alternative ID: GHSA-fx83-3ph3-9j2q
Finding: F425
Auto approve: 1