CVE-2021-44649

Severity CVSS v4.0:
Pending analysis
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
12/01/2022
Last modified:
20/01/2022

Description

Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:django-cms:django_cms:*:*:*:*:*:*:*:* 3.4.0 (including) 3.4.7 (excluding)
cpe:2.3:a:django-cms:django_cms:*:*:*:*:*:*:*:* 3.5.0 (including) 3.5.4 (excluding)
cpe:2.3:a:django-cms:django_cms:*:*:*:*:*:*:*:* 3.6.0 (including) 3.6.1 (excluding)
cpe:2.3:a:django-cms:django_cms:*:*:*:*:*:*:*:* 3.7.0 (including) 3.7.4 (excluding)