{"id":"PYSEC-2022-7","details":"Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.","aliases":["CVE-2021-44649","GHSA-hx7c-qpfq-xcrp"],"modified":"2023-11-08T04:07:17.907342Z","published":"2022-01-12T13:15:00Z","references":[{"type":"ARTICLE","url":"https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/"},{"type":"ARTICLE","url":"https://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-hx7c-qpfq-xcrp"}],"affected":[{"package":{"name":"django-cms","ecosystem":"PyPI","purl":"pkg:pypi/django-cms"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.4.0"},{"fixed":"3.4.7"},{"introduced":"3.5.0"},{"fixed":"3.5.4"},{"introduced":"3.6.0"},{"fixed":"3.6.1"},{"introduced":"3.7.0"},{"fixed":"3.7.4"}]}],"versions":["3.4.0","3.4.1","3.4.2","3.4.3","3.4.4","3.4.5","3.4.6","3.5.0","3.5.1","3.5.2","3.5.3","3.6.0","3.7.0","3.7.1","3.7.2","3.7.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/django-cms/PYSEC-2022-7.yaml"}}],"schema_version":"1.7.3"}