Django CMS 3.7.3 Error Message plugin_type 跨网站脚本

字段	2022-01-12 19時34分	2022-01-15 10時01分
vendor	Django	Django
name	CMS	CMS
version	3.7.3	3.7.3
component	Error Message Handler	Error Message Handler
argument	plugin_type	plugin_type
cwe	79 (跨网站脚本)	79 (跨网站脚本)
risk	1	1
cvss3_vuldb_av	N	N
cvss3_vuldb_ac	L	L
cvss3_vuldb_ui	R	R
cvss3_vuldb_s	U	U
cvss3_vuldb_c	N	N
cvss3_vuldb_i	L	L
cvss3_vuldb_a	N	N
cvss3_vuldb_rl	O	O
cvss3_vuldb_rc	C	C
url	https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/	https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/
name	Patch	Patch
cve	CVE-2021-44649	CVE-2021-44649
cve_assigned	1638745200	1638745200
date	1641942000 (2022-01-12)	1641942000 (2022-01-12)
type	Content Management System	Content Management System
cvss2_vuldb_av	N	N
cvss2_vuldb_ac	L	L
cvss2_vuldb_ci	N	N
cvss2_vuldb_ii	P	P
cvss2_vuldb_ai	N	N
cvss2_vuldb_rc	C	C
cvss2_vuldb_rl	OF	OF
cvss2_vuldb_au	S	S
cvss2_vuldb_e	ND	ND
cvss3_vuldb_pr	L	L
cvss3_vuldb_e	X	X
cvss2_vuldb_basescore	4.0	4.0
cvss2_vuldb_tempscore	3.5	3.5
cvss3_vuldb_basescore	3.5	3.5
cvss3_vuldb_tempscore	3.4	3.4
cvss3_meta_basescore	3.5	3.5
cvss3_meta_tempscore	3.4	3.4
price_0day	$0-$5k	$0-$5k
cve_nvd_summary		Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.

Interested in the pricing of exploits?

See the underground prices here!