Source: djangorestframework Version: 3.11.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for djangorestframework. CVE-2020-25626[0]: | A flaw was found in Django REST Framework versions before 3.12.0 and | before 3.11.2. When using the browseable API viewer, Django REST | Framework fails to properly escape certain strings that can come from | user input. This allows a user who can control those strings to inject | malicious <script> tags, leading to a cross-site-scripting (XSS) | vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-25626 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25626 [1] https://github.com/encode/django-rest-framework/commit/4121b01b912668c049b26194a9a107c27a332429 Please adjust the affected versions in the BTS as needed. Regards, Salvatore