A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability. Links: https://bugzilla.redhat.com/show_bug.cgi?id=1878635 https://www.tenable.com/cve/CVE-2020-25626 Reproducible: Always
Atom in summary shouldn't be versioned until a fixed version is in tree.
ping
ping, please bump
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92f7dab687fab03cb9056f19bccf0974c70c5947 commit 92f7dab687fab03cb9056f19bccf0974c70c5947 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-01-30 15:32:04 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-01-30 15:32:04 +0000 dev-python/djangorestframework: drop old version Bug: https://bugs.gentoo.org/745933 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> dev-python/djangorestframework/Manifest | 1 - .../djangorestframework-3.11.1.ebuild | 19 ------------------- 2 files changed, 20 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4e33679bbf5d6065d98579bd08a2eef2bcd06f3 commit e4e33679bbf5d6065d98579bd08a2eef2bcd06f3 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-01-30 15:30:56 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-01-30 15:30:56 +0000 dev-python/djangorestframework: bump to version 3.12.2 Also added python3_9 support. Bug: https://bugs.gentoo.org/745933 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> dev-python/djangorestframework/Manifest | 1 + .../djangorestframework-3.12.2.ebuild | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+)
Thank you!