CVE-2021-44649

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/django-cms

Identifiers

CVE-2021-44649, GHSA-hx7c-qpfq-xcrp

Package Slug

pypi/django-cms

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

Django CMS does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.

Affected Versions

All versions starting from 3.4.0 before 3.4.7, all versions starting from 3.5.0 before 3.5.4, all versions starting from 3.6.0 before 3.6.1, all versions starting from 3.7.0 before 3.7.4

Solution

Upgrade to versions 3.4.7, 3.5.4, 3.6.1, 3.7.4 or above.

Last Modified

2022-01-14

source