Hi folks. We have released security updates for django CMS versions 3.7.x, 3.6.x, 3.5.x and 3.4.x to address medium-level vulnerabilities. We recommend updating to version 3.7.4, 3.6.1, 3.5.4 or 3.4.7.
<https://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/> The updated releases are now available from our GitHub repository <https://github.com/divio/django-cms/> and PyPI for installation via Pip. Divio users can also update their django CMS installations via the Control Panel. Thanks to Sahil Dhar for the detailed report. Sahil discovered that django CMS does not validate plugin_type parameter while generating the error messages for invalid plugin types. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of an affected user. Please see the relevant commits on GitHub for more information about the vulnerability and mitigation. As ever, we remind our users and contributors that all security reports, patches and concerns be addressed only to our security team by email, at secur...@django-cms.org. Please do not use GitHub, our email lists or IRC to report, address or otherwise discuss matters relating to security. Regards to all on behalf of the django CMS team, Daniele -- Message URL: https://groups.google.com/d/msg/django-cms-developers/topic-id/message-id Unsubscribe: send a message to django-cms-developers+unsubscr...@googlegroups.com --- You received this message because you are subscribed to the Google Groups "django CMS developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-cms-developers+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/django-cms-developers/20200722155345.1354191363%40mail.gandi.net.