CVE-2020-25626: XSS
First published: Mon Sep 14 2020(Updated: )
A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/djangorestframework | <3.11.2 | 3.11.2 |
| debian/djangorestframework | 3.9.0-1+deb10u1 3.12.1-1 3.14.0-2 | |
| redhat/django-rest-framework | <3.12.0 | 3.12.0 |
| redhat/django-rest-framework | <3.11.2 | 3.11.2 |
| Encode Django Rest Framework | <3.12.0 | |
| Redhat Ceph Storage | =2.0 | |
| Debian Debian Linux | =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-25626
- https://bugzilla.redhat.com/show_bug.cgi?id=1878635
- https://security.netapp.com/advisory/ntap-20201016-0003/
- https://www.debian.org/security/2022/dsa-5186
- https://github.com/advisories/GHSA-fx83-3ph3-9j2q (Advisory)
- https://github.com/encode/django-rest-framework/commit/ae649336b110afe21b9429f2554052f31a9dfaf9
- https://security-tracker.debian.org/tracker/CVE-2020-25626
- https://access.redhat.com/errata/RHSA-2020:4136
- https://access.redhat.com/errata/RHSA-2020:4137
- https://access.redhat.com/security/cve/cve-2020-25626
- https://github.com/pypa/advisory-database/tree/main/vulns/djangorestframework/PYSEC-2020-263.yaml
- https://security.netapp.com/advisory/ntap-20201016-0003
Frequently Asked Questions
What is the severity of CVE-2020-25626?
The severity of CVE-2020-25626 is medium with a CVSS score of 6.1.
What is the impact of CVE-2020-25626?
CVE-2020-25626 allows an attacker to inject malicious script tags by exploiting certain strings from user input.
Which versions of Django REST Framework are affected by CVE-2020-25626?
Django REST Framework versions before 3.12.0 and before 3.11.2 are affected by CVE-2020-25626.
How can I fix CVE-2020-25626?
To fix CVE-2020-25626, update Django REST Framework to version 3.12.0 or apply the necessary patches provided by the respective package/source.
Where can I find more information about CVE-2020-25626?
You can find more information about CVE-2020-25626 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-25626), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1878635), [NetApp Security Advisory](https://security.netapp.com/advisory/ntap-20201016-0003/).
- collector/security-tracker-debian
- agent/author
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-25626
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-fx83-3ph3-9j2q
- agent/references
- agent/last-modified-date
- collector/nvd-cve
- source/NVD
- agent/tags
- collector/github-advisory
- package-manager/debian
- package-manager/redhat
- vendor/encode
- canonical/encode django rest framework
- vendor/redhat
- canonical/redhat ceph storage
- version/redhat ceph storage/2.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0
- package-manager/pip