Security Update: Issue Fixed
The fix for this vulnerability has been committed here:
Vendor Advisory:
django CMS Attributes Fields did validate the attributes when validating the model field, but not when validating the form field. This lead to a security issue in apps that use the form field (not apps using the model field), e.g. in django CMS Frontend. This is fixed in django CMS Attributes Field 4.0. Also, attributes that execute JavaScript are disallowed by default.
We recommend all users of django Filer and django CMS Attributes Field to update to the new versions.
CVE-ID: CVE-2024-11406
CVSS Score:
CVSS v3.1 Base Score: 6.9 - Medium
- CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
Affected Versions:
- djangocms-attributes-field 3.0.0
Vulnerability Summary:
The vulnerability resides in the Django CMS admin panel under the Page Editing interface, specifically when utilizing the "Add plugin to placeholder 'Page Content'" feature. Malicious payloads can be injected into the "Attributes" field of plugins like "card" or "badge," leading to Stored XSS attacks.
Technical Details:
Location of the Vulnerability:
The vulnerability is found in the Django CMS admin panel at the page editing endpoint:http://127.0.0.1:8000/en/admin/cms/placeholder/object/10/edit/1/
.
The issue arises when editing page content using the "Add plugin to placeholder 'Page Content'" feature. Plugins such as "card" and "badge" allow injection of unsanitized input in the "Advanced settings" section.
Proof of Concept:
Steps to Reproduce:
- Log in to the Django CMS admin panel with valid credentials.
- Navigate to the Page Editing section at:
http://127.0.0.1:8000/en/admin/cms/placeholder/object/10/edit/1/
. - Select "Add plugin to placeholder 'Page Content'" and choose a plugin (e.g., card, badge).
- In the plugin configuration, go to the "Advanced settings" section.
- Input the following payload in the "Attributes" field:
- Save and preview the page.
- Observe the payload execution upon viewing the page.
Impact
This vulnerability allows Stored Cross-Site Scripting (XSS), which can result in:
- Arbitrary script execution in the context of affected users' browsers.
- Compromise of user sessions and sensitive information.
- Modification of site data viewed by all users accessing the page.
The impact is especially severe because the modifications affect all users viewing the main page content.
Remediation:
-
To mitigate these vulnerabilities:
- Input Validation and Sanitization:
- Ensure all input fields, especially those in "Advanced settings", are properly sanitized.
- Content Security Policy (CSP):
- Implement robust CSP headers to prevent the execution of malicious scripts.
- Regular Updates:
- Apply security patches and updates to Django CMS and its plugins regularly.
- Input Validation and Sanitization:
Timeline:
Date |
Status |
16-NOV-2024 |
Reported to vendor |
18-NOV-2024 |
Vendor acknowledgement |
20-NOV-2024 |
Vulnerability fixed |
20-NOV-2024 |
Patch available |
20-NOV-2024 |
Public Disclosure |