django-cms is vulnerable to Cross-Site Scripting (XSS)
44
Medium Risk
When plugin rendering fails in edit mode, ContentRenderer.render_exception in cms/plugin_rendering.py builds the cms-rendering-exception heading by interpolating the exception message, placeholder and source strings, and the plugin's get_short_description() directly into an HTML string, then returns that placeholder output as safe markup. Stored content that reaches those values is parsed as HTML in a staff user's browser when the plugin later raises during edit-mode rendering, producing stored cross-site scripting in the CMS editing context. Enabling DEBUG does not mitigate the issue because the custom heading renders regardless of the traceback HTML. The fix escapes the heading with format_html before returning it as safe markup.
You are affected if you are using a version that falls within the vulnerable range.
django-cms is vulnerable to Cross-Site Scripting (XSS) in versions 5.0.0 - 5.0.8.
Upgrade the django-cms library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant