CVE-2024-11319

Name of the Vulnerable Software and Affected Versions: django-cms versions 3.11.7 through 3.11.8 django-cms versions 4.1.2 through 4.1.3

Description: The issue is related to improper neutralization of input during web page generation, allowing Cross-Site Scripting (XSS). This can be exploited by a remote attacker to conduct an XSS attack. The vulnerability is associated with the failure to protect the structure of web pages. Technical details include the exploitation of the Page Title field in the Page Creation interface, allowing JavaScript injection.

Recommendations: For django-cms versions 3.11.7 and 3.11.8, update to a version that includes the fix for this issue. For django-cms versions 4.1.2 and 4.1.3, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Page Creation interface to minimize the risk of exploitation. Avoid using the Page Title field in the affected versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.