CVE-2021-44649
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
12/01/2022
Last modified:
20/01/2022
Description
Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.
Impact
Base Score 3.x
5.40
Severity 3.x
MEDIUM
Base Score 2.0
3.50
Severity 2.0
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:django-cms:django_cms:*:*:*:*:*:*:*:* | 3.4.0 (including) | 3.4.7 (excluding) |
| cpe:2.3:a:django-cms:django_cms:*:*:*:*:*:*:*:* | 3.5.0 (including) | 3.5.4 (excluding) |
| cpe:2.3:a:django-cms:django_cms:*:*:*:*:*:*:*:* | 3.6.0 (including) | 3.6.1 (excluding) |
| cpe:2.3:a:django-cms:django_cms:*:*:*:*:*:*:*:* | 3.7.0 (including) | 3.7.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



