The django CMS official blog

13
Feb

2.3.5 Security release

Today we issued a security release, django CMS 2.3.5, to remedy a security issue reported to us.

All users are encouraged to upgrade django CMS immediately.

The security issue fixed in this release allowed users with limited admin access to elevate their privileges through XSS injection using the page_attribute template tag. Only users with admin access and the permission to edit at least one django CMS page object could exploit this vulnerability. Websites that do not use the page_attribute template tag are not affected.

Full list of changes in this release

  • Output of page_attribute template tag is escaped.

Affected versions

  • All versions are affected

Affected APIs

  • The vulnerability is in the page_attribute template tag. Only websites using this template tag are vulnerable.

General note regarding security reporting

Please report any potential security issues via private email to security@django-cms.org, and not via a public channel such as our IRC channel, our mailinglists or our bug tracker.

blog comments powered by Disqus