{"id":"CVE-2021-44649","details":"Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.","aliases":["GHSA-hx7c-qpfq-xcrp","PYSEC-2022-7"],"modified":"2026-03-14T11:17:08.052689Z","published":"2022-01-12T13:15:07.737Z","references":[{"type":"ADVISORY","url":"https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/"},{"type":"EVIDENCE","url":"https://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django-cms/django-cms","events":[{"introduced":"4e2ac3e73845fa0a2970247996ddd6fe16408fc0"},{"fixed":"f824cd4afd89bf7bb3e12015cb1ed33348718c1d"},{"introduced":"fe553bcc45af101cae9f31b4d05a9a12fddf6325"},{"fixed":"932da2ebb4d165a2ed38a1920cd9c96715981f42"},{"introduced":"b2b35ca9d5564ee90b87a8f81c10d24f96304878"},{"fixed":"8aeb97a8e85f28aa7784f9d071a515b6825babac"},{"introduced":"7bec4b56ce7bab49f6263677f5cabd0548ee2bff"},{"fixed":"01f53e46cba3cf9e78e683cfccb561e11875091b"}],"database_specific":{"versions":[{"introduced":"3.4.0"},{"fixed":"3.4.7"},{"introduced":"3.5.0"},{"fixed":"3.5.4"},{"introduced":"3.6.0"},{"fixed":"3.6.1"},{"introduced":"3.7.0"},{"fixed":"3.7.4"}]}}],"versions":["3.4.0","3.4.1","3.4.2","3.4.4","3.4.5","3.4.6","3.5.0","3.5.0rc1","3.5.1","3.5.2","3.5.3","3.5.3rc1","3.6.0","3.6.0rc1","3.6.0rc2","3.6.0rc3","3.7.0","3.7.0rc1","3.7.0rc2","3.7.1","3.7.2","3.7.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-44649.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}