PyPi: Django-Cms

CVE-2024-11319

Safety vulnerability ID: 74253

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 18, 2024 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Affected versions of django-cms are vulnerable to Cross-Site Scripting (CWE-79). This vulnerability allows attackers to inject malicious scripts through page attributes, potentially compromising user sessions or executing unauthorized actions. The attack vector involves submitting crafted content to fields like page_title, which were previously not properly sanitized. The vulnerability existed in cms_tags.py where specific page attributes were not correctly escaped. This commit updates the code to use Django's escape function for all non-datetime page attributes, effectively mitigating the risk of XSS attacks.

Affected package

django-cms

Latest version: 4.1.4

Lean enterprise content management powered by Django.

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 4.8

CVSS v3 Details

MEDIUM 4.8

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): HIGH
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality Impact (C): LOW
Integrity Impact (I): LOW
Availability Availability (A): NONE