2 results (0.024 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Django REST framework (aka django-rest-framework) before 3.9.1 allows XSS because the default DRF Browsable API view templates disable autoescaping. El marco REST de Django (también se conoce como django-rest-framework) versiones anteriores a 3.9.1, permite un ataque de tipo XSS porque las plantillas de visualización de la API navegable de DRF por defecto deshabilitan el auto escapado • https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8 https://github.com/encode/django-rest-framework/pull/6191 https://github.com/encode/django-rest-framework/pull/6330 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0

A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability. Se encontró un fallo en Django REST Framework versiones anteriores a 3.12.0 y anteriores a 3.11.2.&#xa0;Cuando se usa el visor de la API navegable, Django REST Framework no puede escapar correctamente determinadas cadenas que pueden provenir de la entrada del usuario. • https://bugzilla.redhat.com/show_bug.cgi?id=1878635 https://security.netapp.com/advisory/ntap-20201016-0003 https://www.debian.org/security/2022/dsa-5186 https://access.redhat.com/security/cve/CVE-2020-25626 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •