{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "3.4.0" }, { "fixed": "3.4.7" }, { "introduced": "3.5.0" }, { "fixed": "3.5.4" }, { "introduced": "3.6.0" }, { "fixed": "3.6.1" }, { "introduced": "3.7.0" }, { "fixed": "3.7.4" } ] }, "events": [ { "introduced": "4e2ac3e73845fa0a2970247996ddd6fe16408fc0" }, { "fixed": "f824cd4afd89bf7bb3e12015cb1ed33348718c1d" }, { "introduced": "fe553bcc45af101cae9f31b4d05a9a12fddf6325" }, { "fixed": "932da2ebb4d165a2ed38a1920cd9c96715981f42" }, { "introduced": "b2b35ca9d5564ee90b87a8f81c10d24f96304878" }, { "fixed": "8aeb97a8e85f28aa7784f9d071a515b6825babac" }, { "introduced": "7bec4b56ce7bab49f6263677f5cabd0548ee2bff" }, { "fixed": "01f53e46cba3cf9e78e683cfccb561e11875091b" } ], "repo": "https://github.com/django-cms/django-cms", "type": "GIT" } ] } ], "details": "Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.", "id": "CVE-2021-44649", "modified": "2026-03-13T21:48:53.592431968Z", "published": "2022-01-12T13:15:07.737Z", "references": [ { "type": "ADVISORY", "url": "https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/" }, { "type": "EVIDENCE", "url": "https://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability/" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ] }