Content: Blog

Release

2.3.5 Security release

Jonas Obrist

Jonas Obrist

Feb. 13, 2013

security 2.3

We just issued a security release for django CMS 2.3. All versions are affected and users are encouraged to upgrade immediately.

The security issue fixed in this release allowed users with limited admin access to elevate their privileges through XSS injection using the page_attribute template tag. Only users with admin access and the permission to edit at least one django CMS page object could exploit this vulnerability. Websites that do not use the page_attribute template tag are not affected.

Full list of changes in this release

  • Output of page_attribute template tag is escaped.

Affected versions

  • All versions are affected

Affected APIs

  • The vulnerability is in the page_attribute template tag. Only websites using this template tag are vulnerable.

General note regarding security reporting

Please report any potential security issues via private email to [email protected], and not via a public channel such as our IRC channel, our mailinglists or our bug tracker.

blog comments powered by Disqus

Do you want to test django CMS?

Try django CMS

django CMS Association

The association behind django CMS
Email [email protected]

Subscribe to Newsletter

 

Community
Blog
Events
Security
Developers
Documentation
Roadmap
Repository
Issue tracker
Follow us

icon-twitter.png   icon-slack-32.png    icon-github.png   icon-linkedin-32.png

Mastodon

Copyright © 2001 - 2024 Divio AG. BSD Open-Source License.

Django CMS is based on Python and Django

A project backed by the django CMS Association