CVE-2020-25626

NameCVE-2020-25626
DescriptionA flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs971554

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
djangorestframework (PTS)stretch3.4.0-2vulnerable
buster3.9.0-1vulnerable
bullseye3.11.0-1vulnerable
sid3.12.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
djangorestframeworksource(unstable)3.12.1-1971554

Notes

[buster] - djangorestframework <no-dsa> (Minor issue)
[stretch] - djangorestframework <no-dsa> (Minor issue)
https://github.com/encode/django-rest-framework/commit/4121b01b912668c049b26194a9a107c27a332429
Fixed upstream in 3.12.0 and 3.11.2

Search for package or bug name: Reporting problems