Search criteria
3 vulnerabilities by django-cms
CVE-2024-11319 (GCVE-0-2024-11319)
Vulnerability from cvelistv5 – Published: 2024-11-18 11:53 – Updated: 2025-09-16 13:47 X_Open Source
VLAI
Title
Stored XSS in Open Source Project "django-cms"
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django-cms allows Cross-Site Scripting (XSS).This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3.
Severity
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| django CMS Association | django-cms |
Affected:
3.11.7
(custom)
Affected: 3.11.8 (custom) Affected: 4.1.2 (custom) Affected: 4.1.3 (custom) Unaffected: 4.1.4 (custom) |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:django-cms:django_cms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django_cms",
"vendor": "django-cms",
"versions": [
{
"status": "affected",
"version": "3.11.7"
},
{
"status": "affected",
"version": "3.11.8"
},
{
"status": "affected",
"version": "4.1.2"
},
{
"status": "affected",
"version": "4.1.3"
},
{
"status": "affected",
"version": "4.1.4"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11319",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T13:46:55.877431Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:47:11.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "django-cms",
"vendor": "django CMS Association",
"versions": [
{
"status": "affected",
"version": "3.11.7",
"versionType": "custom"
},
{
"status": "affected",
"version": "3.11.8",
"versionType": "custom"
},
{
"status": "affected",
"version": "4.1.2",
"versionType": "custom"
},
{
"status": "affected",
"version": "4.1.3",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.1.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ali ILTIZAR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in django CMS Association django-cms allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3. \u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in django CMS Association django-cms allows Cross-Site Scripting (XSS).This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T07:08:25.363Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"url": "https://www.usom.gov.tr/bildirim/tr-24-1859"
},
{
"url": "https://github.com/django-cms/django-cms/commit/241d1cbe47a68f5d271ce4d27ad5e32e2c360ec3"
},
{
"url": "https://www.django-cms.org/en/blog/2024/11/13/django-cms-security-update/"
},
{
"url": "https://iltosec.com/blog/post/django-cms-413-stored-xss-vulnerability-exploiting-the-page-title-field/"
}
],
"source": {
"advisory": "TR-24-1859",
"defect": [
"TR-24-1859"
],
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Stored XSS in Open Source Project \"django-cms\"",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2024-11319",
"datePublished": "2024-11-18T11:53:04.244Z",
"dateReserved": "2024-11-18T11:01:37.298Z",
"dateUpdated": "2025-09-16T13:47:11.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44649 (GCVE-0-2021-44649)
Vulnerability from cvelistv5 – Published: 2022-01-12 12:57 – Updated: 2024-08-04 04:25
VLAI
Summary
Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://sahildhar.github.io/blogpost/Django-CMS-R… | x_refsource_MISC |
| https://www.django-cms.org/en/blog/2020/07/22/dja… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.860Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T12:57:19.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-44649",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability/",
"refsource": "MISC",
"url": "https://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability/"
},
{
"name": "https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/",
"refsource": "MISC",
"url": "https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-44649",
"datePublished": "2022-01-12T12:57:19.000Z",
"dateReserved": "2021-12-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:25:16.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5081 (GCVE-0-2015-5081)
Vulnerability from cvelistv5 – Published: 2017-08-18 18:00 – Updated: 2024-08-06 06:32
VLAI
Summary
Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.django-cms.org/en/blog/2015/06/27/311… | x_refsource_CONFIRM |
| https://github.com/divio/django-cms/commit/f77cbc… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2015/06/28/1 | mailing-listx_refsource_MLIST |
Date Public
2015-06-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:32:32.813Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.django-cms.org/en/blog/2015/06/27/311-3014-release/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a"
},
{
"name": "[oss-security] 20150628 Re: CVE Request: Django CMS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/06/28/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-18T17:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.django-cms.org/en/blog/2015/06/27/311-3014-release/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a"
},
{
"name": "[oss-security] 20150628 Re: CVE Request: Django CMS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/06/28/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5081",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.django-cms.org/en/blog/2015/06/27/311-3014-release/",
"refsource": "CONFIRM",
"url": "https://www.django-cms.org/en/blog/2015/06/27/311-3014-release/"
},
{
"name": "https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a",
"refsource": "CONFIRM",
"url": "https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a"
},
{
"name": "[oss-security] 20150628 Re: CVE Request: Django CMS",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/06/28/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5081",
"datePublished": "2017-08-18T18:00:00.000Z",
"dateReserved": "2015-06-26T00:00:00.000Z",
"dateUpdated": "2024-08-06T06:32:32.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}