Content: Blog

Release

2.3.5 Security release

Jonas Obrist

Feb. 13, 2013

security 2.3

We just issued a security release for django CMS 2.3. All versions are affected and users are encouraged to upgrade immediately.

The security issue fixed in this release allowed users with limited admin access to elevate their privileges through XSS injection using the page_attribute template tag. Only users with admin access and the permission to edit at least one django CMS page object could exploit this vulnerability. Websites that do not use the page_attribute template tag are not affected.

Full list of changes in this release

  • Output of page_attribute template tag is escaped.

Affected versions

  • All versions are affected

Affected APIs

  • The vulnerability is in the page_attribute template tag. Only websites using this template tag are vulnerable.

General note regarding security reporting

Please report any potential security issues via private email to [email protected], and not via a public channel such as our IRC channel, our mailinglists or our bug tracker.

blog comments powered by Disqus

Do you want to test django CMS?

Try django CMS