CVE-2020-25626

NameCVE-2020-25626
DescriptionA flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5186-1, ELA-716-1
Debian Bugs971554

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
djangorestframework (PTS)jessie2.4.3-2vulnerable
stretch (lts), stretch3.4.0-2+deb9u1fixed
buster (security), buster, buster (lts)3.9.0-1+deb10u1fixed
bullseye3.12.1-1fixed
bookworm3.14.0-2+deb12u1fixed
sid, trixie3.15.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
djangorestframeworksourcejessie(unfixed)end-of-life
djangorestframeworksourcestretch3.4.0-2+deb9u1ELA-716-1
djangorestframeworksourcebuster3.9.0-1+deb10u1DSA-5186-1
djangorestframeworksource(unstable)3.12.1-1971554

Notes

[stretch] - djangorestframework <no-dsa> (Minor issue)
https://github.com/encode/django-rest-framework/commit/ae649336b110afe21b9429f2554052f31a9dfaf9
Fixed upstream in 3.12.0 and 3.11.2

Search for package or bug name: Reporting problems