CVE-2024-11319 — django CMS Cross-Site Scripting (XSS)

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django-cms allows Cross-Site Scripting (XSS).This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3.

How to fix CVE-2024-11319

To remediate CVE-2024-11319, upgrade the affected package to a fixed version below.

PyPI/django-cms—upgrade to 3.11.9 or later
—upgrade to 241d1cbe47a68f5d271ce4d27ad5e32e2c360ec3 or later

Is CVE-2024-11319 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.11.7, < 3.11.9
from 0, < 241d1cbe47a68f5d271ce4d27ad5e32e2c360ec3 | from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

References (11)

ADVISORYgithub.com/advisories/GHSA-gv5h-5655-h4mv
ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-11319
ADVISORYwww.django-cms.org/en/blog/2024/11/13/django-cms-security-update/
EXPLOITiltosec.com/blog/post/django-cms-413-stored-xss-vulnerability-exploiting-the-page-title-field/