Cx-Alex-Shleymovich

**Name of the Vulnerable Software and Affected Versions** Mezzanine CMS versions prior to 6.1.1 **Description** The issue is a Stored Cross-Site Scripting (XSS) vulnerability in the admin interface. It exists in the `displayable links js` function, which fails to properly sanitize blog post titles before including them in JSON responses served via "/admin/displayable links.js". An authenticated admin user can create a blog post with a malicious JavaScript payload in the `title` field, then trick another admin user into clicking a direct link to the "/admin/displayable links.js" endpoint, causing the malicious script to execute in their browser. **Recommendations** For versions prior to 6.1.1, update to version 6.1.1 or later to resolve the issue. As a temporary workaround, consider disabling the `displayable links js` function until a patch is available. Restrict access to the "/admin/displayable links.js" endpoint to minimize the risk of exploitation. Avoid using malicious JavaScript payloads in the `title` field of blog posts until the issue is resolved.