CVEs

CVE-2024-11406 - Stored XSS Vulnerability in Django CMS 3.0.0 (Attributes Fields)

Reported on Nov 2024

The vulnerability resides in the Django CMS admin panel under the Page Editing interface, specifically when utilizing the "Add plugin to placeholder 'Page Content'" feature. Malicious payloads can be injected into the "Attributes" field of plugins like "card" or "badge," leading to Stored XSS attacks.

CVE Link Git Commit Vendor Patch Blog Post

CVE-2024-11404 - File Upload Bypass Vulnerability in Django Filer 3.2.3

Reported on Nov 2024

The vulnerabilities were identified in django-filer 3.2.3, a file management application commonly used with django CMS. These issues allow attackers to bypass upload restrictions for HTML and SVG files, potentially uploading malicious files containing scripts that execute on the client side.

CVE Link Vendor Patch Blog Post

CVE-2024-11319 - Stored XSS Vulnerability in Django CMS 4.1.3

Reported on Nov 2024

Django CMS version 4.1.3 is affected by a stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject arbitrary JavaScript code that is executed in the context of the web application, potentially compromising the safety of all users visiting the affected page.

CVE Link Git Commit Vendor Patch Blog Post