CVE-2024-11319

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Nov 18, 2024 / Updated: 1d ago

010
CVSS 9.3EPSS 0.05%Critical
CVE info copied to clipboard

Summary

An Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability has been identified in django CMS Association's django-cms. This vulnerability allows for Cross-Site Scripting (XSS) attacks. The affected versions of django-cms are 3.11.7, 3.11.8, 4.1.2, and 4.1.3.

Impact

This vulnerability could allow an attacker to execute malicious scripts in a user's browser within the context of the affected django-cms site. The potential impacts include: 1. Theft of sensitive data: Attackers could steal session tokens, cookies, or other critical information stored in the browser. 2. Account takeover: The vulnerability could be exploited to impersonate users and perform actions on their behalf. 3. Defacement: Malicious scripts could modify the appearance of web pages, potentially damaging the organization's reputation. 4. Malware distribution: Attackers could inject scripts that redirect users to malicious sites or download malware. The CVSS v4.0 base score for this vulnerability is 9.3 (Critical), indicating a severe risk. The attack vector is Adjacent, meaning the attacker needs to be on an adjacent network, but the attack complexity is Low, and no user interaction is required. Despite requiring high privileges, the potential impact on confidentiality, integrity, and availability of both the vulnerable and subsequent systems is rated as High.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the provided information, there is no mention of an available patch. However, given the critical nature of the vulnerability, it is likely that the django CMS Association is working on a fix. Security teams should monitor the official django-cms repository or announcements for patch information.

Mitigation

While waiting for an official patch, consider the following mitigation strategies: 1. Upgrade: If possible, upgrade to a version of django-cms that is not affected by this vulnerability. However, as the latest versions (3.11.8 and 4.1.3) are impacted, this may not be immediately possible. 2. Input Validation: Implement strict input validation and sanitization for all user inputs, especially those that could be rendered in web pages. 3. Content Security Policy (CSP): Implement a strong Content Security Policy to mitigate the risk of XSS attacks. 4. Web Application Firewall (WAF): Deploy or configure a WAF to filter out potential XSS attacks. 5. Output Encoding: Ensure all dynamic content is properly encoded before being rendered in web pages. 6. Least Privilege: Review and restrict user privileges where possible to minimize the impact of successful attacks. 7. Regular Security Audits: Conduct thorough code reviews and security audits to identify and address similar vulnerabilities. 8. Monitor for Updates: Closely follow django-cms security announcements and apply patches as soon as they become available. Given the critical CVSS score and the widespread use of django-cms, addressing this vulnerability should be considered a high priority for security teams.

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-11319

Nov 18, 2024 at 12:15 PM
CVSS

A CVSS base score of 9.3 has been assigned.

Nov 18, 2024 at 12:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-11319. See article

Nov 18, 2024 at 12:20 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 18, 2024 at 12:21 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Nov 18, 2024 at 12:30 PM
CVSS

A CVSS base score of 9.6 has been assigned.

Nov 18, 2024 at 3:40 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 17%)

Nov 19, 2024 at 9:42 AM
Static CVE Timeline Graph

Affected Systems

Django-cms/django_cms
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

Vendor Advisory

[GHSA-gv5h-5655-h4mv] django CMS Cross-Site Scripting (XSS)
GitHub Security Advisory: GHSA-gv5h-5655-h4mv Release Date: 2024-11-18 Update Date: 2024-11-18 Severity: Critical CVE-2024-11319 Package Information Package: django-cms Affected Versions: >= 3.11.7, Patched Versions: 3.11.9 Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django-cms allows Cross-Site Scripting (XSS).This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3. References https://nvd.nist.gov/vuln/detail/CVE-2024-11319 django-cms/django-cms@241d1cb https://iltosec.com/blog/post/django-cms-413-stored-xss-vulnerability-exploiting-the-page-title-field https://www.django-cms.org/en/blog/2024/11/13/django-cms-security-update https://www.usom.gov.tr/bildirim/tr-24-1859

News

famixcm/CVE-2024-11319
[GitHub]Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
[GHSA-gv5h-5655-h4mv] django CMS Cross-Site Scripting (XSS)
GitHub Security Advisory: GHSA-gv5h-5655-h4mv Release Date: 2024-11-18 Update Date: 2024-11-18 Severity: Critical CVE-2024-11319 Package Information Package: django-cms Affected Versions: >= 3.11.7, Patched Versions: 3.11.9 Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django-cms allows Cross-Site Scripting (XSS).This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3. References https://nvd.nist.gov/vuln/detail/CVE-2024-11319 django-cms/django-cms@241d1cb https://iltosec.com/blog/post/django-cms-413-stored-xss-vulnerability-exploiting-the-page-title-field https://www.django-cms.org/en/blog/2024/11/13/django-cms-security-update https://www.usom.gov.tr/bildirim/tr-24-1859
NA - CVE-2024-11319 - Improper Neutralization of Input During Web...
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django-cms allows Cross-Site Scripting (XSS).This issue...
CVE-2024-11319 - "Django-cms Cross-Site Scripting (XSS)" November 18, 2024 at 12:15PM https:// ift.tt/JKQN3EH # CVE # IOC # CTI # ThreatIntelligence # ThreatIntel # Cybersecurity # Recon
CVE-2024-11319 | Django CMS up to 3.11.7/3.11.8/4.1.2/4.1.3 cross site scripting
A vulnerability was found in Django CMS up to 3.11.7/3.11.8/4.1.2/4.1.3 . It has been classified as problematic . This affects an unknown part. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-11319 . It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Adjacent_network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI