CVE-2020-25626
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2020-25626.html
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2020-25626
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 3.12.1-1 |
| debian | bullseye | fixed | 3.12.1-1 |
| debian | forky | fixed | 3.12.1-1 |
| debian | sid | fixed | 3.12.1-1 |
| debian | trixie | fixed | 3.12.1-1 |
| sles | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | djangorestframework | <3.11.2 | 3.11.2 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2020-25626
- https://bugzilla.redhat.com/show_bug.cgi?id=1878635
- https://github.com/advisories/GHSA-fx83-3ph3-9j2q
- https://github.com/encode/django-rest-framework
- https://github.com/pypa/advisory-database/tree/main/vulns/djangorestframework/PYSEC-2020-263.yaml
- https://security.netapp.com/advisory/ntap-20201016-0003
- https://www.debian.org/security/2022/dsa-5186
- https://security.netapp.com/advisory/ntap-20201016-0003/
- https://security-tracker.debian.org/tracker/CVE-2020-25626
- https://www.suse.com/security/cve/CVE-2020-25626.html
Verify integrity in audit chain (admin only). AS-IS.