django CMS 2.1.4 security release issued
This afternoon a possible security issue in our text plugin was brought to our attention. All django CMS versions are affected, and as a result we released version 2.1.4. Thanks go to Klaas van Schelven for reporting this issue.
The security issue fixed in this release allowed users with administrator accounts that have the right to edit pages to inject javascript into text plugins which could allow them to hijack user accounts with higher permission levels than themselves. As a result, no javascript is allowed in the text plugins anymore, and the 2.1.4 release contains a migration script to clean all existing plugins. The snippet plugin, which also has this flaw, continues to allow javascript and should therefore be used very cautiously.
Full list of changes in this release
- No longer allow javascript in text plugins.
- Clean all javascript from text plugins
- Added html5lib as a dependency to do the javascript filtering.
Affected versions
- all versions
Detailed upgrade instructions
Update your django CMS to 2.1.4 and run the south migration using the `migrate text` management command.
General note concerning security
Please report any potential security issue you discover via private email to [email protected]. Please do not report it to the github issue tracker or any of the mailing lists.
blog comments powered by Disqus