Safety vulnerability ID: 44516
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Django-cms versions 3.7.4, 3.6.1, 3.5.4 and 3.4.7 include a fix for CVE-2021-44649: Django CMS 3.7.3 and prior does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.
https://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability
https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1
Latest version: 4.1.4
Lean enterprise content management powered by Django.
Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user. See CVE-2021-44649.
MISC:https://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability/: https://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability/
MISC:https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/: https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application