django-cms is vulnerable to Missing Authorization
43
Medium Risk
The frontend-editing structure endpoint served by render_object_structure performs an object-level authorization check for PageContent objects but not for other frontend-editable models using PlaceholderRelationField. Any authenticated, active staff user can request the structure URL for a non-PageContent object and read its placeholder and plugin structure without change permission and without the cms.use_structure permission. This discloses placeholder slot names, the plugin tree, plugin identifiers, and object existence for objects the user is not authorized to edit. The fix authorizes the non-PageContent branch and returns 404 when the user is not permitted to view the object's placeholder source.
You are affected if you are using a version that falls within the vulnerable range and your deployment exposes non-PageContent frontend-editable models via PlaceholderRelationField.
django-cms is vulnerable to Missing Authorization in versions 4.1.0 - 5.0.8.
Upgrade the django-cms library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant