Django CMS djangocms-attributes-field 3.0.0 Stored XSS Vulnerability

Security Update: Issue Fixed

The fix for this vulnerability has been committed here:

https://github.com/django-cms/djangocms-attributes-field/commit/fe68d29ab78db5885bc31b67cf0537f1f02b33ad

Vendor Advisory:

https://www.django-cms.org/en/blog/2024/11/19/security-updates-for-django-filer-and-django-cms-attributes-field/

django CMS Attributes Fields did validate the attributes when validating the model field, but not when validating the form field. This lead to a security issue in apps that use the form field (not apps using the model field), e.g. in django CMS Frontend. This is fixed in django CMS Attributes Field 4.0. Also, attributes that execute JavaScript are disallowed by default.

We recommend all users of django Filer and django CMS Attributes Field to update to the new versions.

CVE-ID: CVE-2024-11406

CVSS Score:

CVSS v3.1 Base Score: 6.9 - Medium

• CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Affected Versions:

• djangocms-attributes-field 3.0.0

Vulnerability Summary:

The vulnerability resides in the Django CMS admin panel under the Page Editing interface, specifically when utilizing the "Add plugin to placeholder 'Page Content'" feature. Malicious payloads can be injected into the "Attributes" field of plugins like "card" or "badge," leading to Stored XSS attacks.

Technical Details:

Location of the Vulnerability:

The vulnerability is found in the Django CMS admin panel at the page editing endpoint:
http://127.0.0.1:8000/en/admin/cms/placeholder/object/10/edit/1/.

The issue arises when editing page content using the "Add plugin to placeholder 'Page Content'" feature. Plugins such as "card" and "badge" allow injection of unsanitized input in the "Advanced settings" section.

Proof of Concept:

Steps to Reproduce:

1. Log in to the Django CMS admin panel with valid credentials.
2. Navigate to the Page Editing section at:
   http://127.0.0.1:8000/en/admin/cms/placeholder/object/10/edit/1/.
3. Select "Add plugin to placeholder 'Page Content'" and choose a plugin (e.g., card, badge).
4. In the plugin configuration, go to the "Advanced settings" section.
5. Input the following payload in the "Attributes" field:
    

   </div><img src=x onerror="alert('iltosec')"

   
6. Save and preview the page.
7. Observe the payload execution upon viewing the page.

Impact

This vulnerability allows Stored Cross-Site Scripting (XSS), which can result in:

• Arbitrary script execution in the context of affected users' browsers.
• Compromise of user sessions and sensitive information.
• Modification of site data viewed by all users accessing the page.

The impact is especially severe because the modifications affect all users viewing the main page content.

Remediation:

• To mitigate these vulnerabilities:

  1. Input Validation and Sanitization:
     • Ensure all input fields, especially those in "Advanced settings", are properly sanitized.
  2. Content Security Policy (CSP):
     • Implement robust CSP headers to prevent the execution of malicious scripts.
  3. Regular Updates:
     • Apply security patches and updates to Django CMS and its plugins regularly.

Timeline: