CVE-2021-44649, GHSA-hx7c-qpfq-xcrp
pypi/django-cms
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Django CMS does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.
All versions starting from 3.4.0 before 3.4.7, all versions starting from 3.5.0 before 3.5.4, all versions starting from 3.6.0 before 3.6.1, all versions starting from 3.7.0 before 3.7.4
Upgrade to versions 3.4.7, 3.5.4, 3.6.1, 3.7.4 or above.
2022-01-14
source |