CVE-2020-25626

moderate-risk

Published 2020-09-30

A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.

Do I need to act?

0.71% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (3)

Django Rest Framework

Ceph Storage

Debian Linux

Affected Vendors

Debian Redhat Encode

References (6)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1878635

Third Party Advisory https://security.netapp.com/advisory/ntap-20201016-0003/

Third Party Advisory https://www.debian.org/security/2022/dsa-5186

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1878635

Third Party Advisory https://security.netapp.com/advisory/ntap-20201016-0003/

Third Party Advisory https://www.debian.org/security/2022/dsa-5186

/ 100

moderate-risk

Severity 23/34 · High

Exploitability 2/34 · Minimal

Exposure 9/34 · Low