A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1878635 | Issue Tracking Vendor Advisory |
https://security.netapp.com/advisory/ntap-20201016-0003/ | Third Party Advisory |
https://www.debian.org/security/2022/dsa-5186 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2020-09-30T19:24:45
Updated: 2022-07-22T19:06:14
Reserved: 2020-09-16T00:00:00
Link: CVE-2020-25626
JSON object: View
NVD Information
Status : Modified
Published: 2020-09-30T20:15:15.480
Modified: 2023-11-07T03:20:17.287
Link: CVE-2020-25626
JSON object: View
Redhat Information
No data.