Mezzanine 6.0.1 vulnerabilities

Known vulnerabilities in the Mezzanine package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `displayable_links_js` function. An attacker can execute arbitrary JavaScript code in the context of another authenticated admin user's browser by creating a blog post with a crafted title and tricking the victim into accessing the `/admin/displayable_links.js` endpoint. How to fix Cross-site Scripting (XSS)? Upgrade `Mezzanine` to version 6.1.1 or higher.	[,6.1.1)
L Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `EntriesForm` class in the Forms module. An attacker can submit files with malicious filenames and execute arbitrary JavaScript in the browser context of authenticated admins. Note: This is a persistent XSS in forms containing file uploads, so the payload will be executed every time an admin views the affected entry. How to fix Cross-site Scripting (XSS)? Upgrade `Mezzanine` to version 6.1.1 or higher.	[0.12,6.1.1)
M Authentication Bypass Using an Alternate Path or Channel Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to the manipulation of the `Host` header. An attacker can bypass access controls by crafting malicious `Host` header values. How to fix Authentication Bypass Using an Alternate Path or Channel? There is no fixed version for `Mezzanine`.	[0,)
M Cross-site Request Forgery (CSRF) Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the admin panel. How to fix Cross-site Request Forgery (CSRF)? There is no fixed version for `Mezzanine`.	[0,)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It allows remote attackers to execute arbitrary code via the `Description` field of the component `admin/blog/blogpost/add/`. How to fix Cross-site Scripting (XSS)? Upgrade `Mezzanine` to version 6.1.1 or higher.	[,6.1.1)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the displayable_links_js function. An attacker can execute arbitrary JavaScript code in the context of another authenticated admin user's browser by creating a blog post with a crafted title and tricking the victim into accessing the /admin/displayable_links.js endpoint.

How to fix Cross-site Scripting (XSS)?

Upgrade Mezzanine to version 6.1.1 or higher.

[,6.1.1)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the EntriesForm class in the Forms module. An attacker can submit files with malicious filenames and execute arbitrary JavaScript in the browser context of authenticated admins.

Note: This is a persistent XSS in forms containing file uploads, so the payload will be executed every time an admin views the affected entry.

How to fix Cross-site Scripting (XSS)?

Upgrade Mezzanine to version 6.1.1 or higher.

[0.12,6.1.1)

Authentication Bypass Using an Alternate Path or Channel

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to the manipulation of the Host header. An attacker can bypass access controls by crafting malicious Host header values.

How to fix Authentication Bypass Using an Alternate Path or Channel?

There is no fixed version for Mezzanine.

[0,)

Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the admin panel.

How to fix Cross-site Request Forgery (CSRF)?

There is no fixed version for Mezzanine.

[0,)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It allows remote attackers to execute arbitrary code via the Description field of the component admin/blog/blogpost/add/.

How to fix Cross-site Scripting (XSS)?

Upgrade Mezzanine to version 6.1.1 or higher.

[,6.1.1)

Mezzanine@6.0.1 vulnerabilities

An open source content management platform built using the Django framework.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?