Home > Vulnerability Database > CVE-2020-25626

Mend.io Vulnerability Database

CVE-2020-25626

Good to know:

Date: September 30, 2020

A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.

Language: Python

Severity Score

6.1

Related Resources (9)

Url: https://github.com/encode/django-rest-framework

Url: https://github.com/pypa/advisory-database/tree/main/vulns/djangorestframework/PYSEC-2020-263.yaml

Url: https://security.netapp.com/advisory/ntap-20201016-0003

Url: https://github.com/advisories/GHSA-fx83-3ph3-9j2q

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-25626

Url: https://security.netapp.com/advisory/ntap-20201016-0003/

Url: https://bugzilla.redhat.com/show_bug.cgi?id=1878635

Url: https://www.debian.org/security/2022/dsa-5186

Url: https://www.mend.io/vulnerability-database/CVE-2020-25626

Severity Score

6.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version 3.12.1

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-25626

Good to know:

Date: September 30, 2020

Language: Python

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?