Thanks Susanne. Unfortunately it looks like this issue was discovered and made public without any communication with the project itself, thusly this is the first we've heard of it and there was no fix until now.
It's now resolved in a dependency ironically called "grappelli-safe", which I just pushed a new version of (0.5.2) to PyPI containing the fix, which you can see on GitHub here: https://github.com/stephenmcd/grappelli-safe/commit/cb1d459b2cb96be4ea8be33060da7874525510e0 New installs of the current Mezzanine version will automatically pick this up. Thanks again, Steve On Fri, Mar 15, 2019 at 11:31 AM Ramsey, Susanne B. <rams...@llnl.gov> wrote: > Hello > > > I have searched various locations, but can find nothing concerning a fix > for CVE-2018-16632 <https://nvd.nist.gov/vuln/detail/CVE-2018-16632>. > Mezzanine > CMS v4.3.1 allows XSS via the > /admin/blog/blogcategory/add/?_to_field=id&_popup=1 title parameter at > admin/blog/blogpost/add/. > > Has this been addressed or will it be ?? > > > > Many thanks! > > Susanne > > > > > > > > *========================================* > > *Susanne B. Ramsey* > > *Physical and Life Sciences Directorate * > > *Lawrence Livermore National Laboratory* > > *7000 East Ave., L-556 * > > *Livermore, CA 94550* > > > > *Email **rams...@llnl.gov <rams...@llnl.gov>* > > Office *(925)423-9530 Cell (925)980-7621* > > *========================================* > > *"Experience is what you get when you didn't get what you wanted."* > > > -- Stephen McDonald http://jupo.org -- You received this message because you are subscribed to the Google Groups "Mezzanine Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to mezzanine-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.