2.3.5 Security release
We just issued a security release for django CMS 2.3. All versions are affected and users are encouraged to upgrade immediately.
The security issue fixed in this release allowed users with limited admin access to elevate their privileges through XSS injection using the page_attribute template tag. Only users with admin access and the permission to edit at least one django CMS page object could exploit this vulnerability. Websites that do not use the page_attribute template tag are not affected.
Full list of changes in this release
- Output of page_attribute template tag is escaped.
- All versions are affected
- The vulnerability is in the page_attribute template tag. Only websites using this template tag are vulnerable.
General note regarding security reporting
Please report any potential security issues via private email to firstname.lastname@example.org , and not via a public channel such as our IRC channel, our mailinglists or our bug tracker.