Headline
CVE-2021-44649: django CMS security updates - Blog
Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.
Security releases for django CMS versions 3.7.x, 3.6.x, 3.5.x and 3.4.x address medium-level vulnerabilities. We recommend updating to version 3.7.4, 3.6.1, 3.5.4 or 3.4.7.
The updated releases are now available from our GitHub repository and PyPI. Divio users can update their django CMS installations via the Control Panel.
Details
django CMS does not validate plugin_type parameter while generating the error messages for invalid plugin types. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of an affected user.
Please see the relevant commits on GitHub for more information about the vulnerability and mitigation.
Thanks to Sahil Dhar for the detailed report through our security email.
As ever, we remind our users and contributors that all security reports, patches and concerns be addressed only to our security team by email, at [email protected].
Please do not use GitHub, our email lists or IRC to report, address or otherwise discuss matters relating to security.
django CMS SLAs for critical applications
Do you use django CMS in a critically-important application? Please contact Divio for details of SLAs, that will give you access to patches and information about vulnerabilities before disclosures or releases are made public.
blog comments powered by