| Name | CVE-2020-25626 |
| Description | A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-5186-1, ELA-716-1 |
| Debian Bugs | 971554 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| djangorestframework (PTS) | jessie | 2.4.3-2 | vulnerable |
| stretch (lts), stretch | 3.4.0-2+deb9u1 | fixed | |
| buster, buster (security) | 3.9.0-1+deb10u1 | fixed | |
| bullseye | 3.12.1-1 | fixed | |
| bookworm | 3.14.0-2 | fixed | |
| sid, trixie | 3.15.1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| djangorestframework | source | jessie | (unfixed) | end-of-life | ||
| djangorestframework | source | stretch | 3.4.0-2+deb9u1 | ELA-716-1 | ||
| djangorestframework | source | buster | 3.9.0-1+deb10u1 | DSA-5186-1 | ||
| djangorestframework | source | (unstable) | 3.12.1-1 | 971554 |
[stretch] - djangorestframework <no-dsa> (Minor issue)
https://github.com/encode/django-rest-framework/commit/ae649336b110afe21b9429f2554052f31a9dfaf9
Fixed upstream in 3.12.0 and 3.11.2