CVE-2021-44649
Description
Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
django-cmsPyPI | >= 3.7.0, < 3.7.4 | 3.7.4 |
django-cmsPyPI | >= 3.6.0, < 3.6.1 | 3.6.1 |
django-cmsPyPI | >= 3.5.0, < 3.5.4 | 3.5.4 |
django-cmsPyPI | >= 3.4.0, < 3.4.7 | 3.4.7 |
Affected products
2- Django/CMSdescription
Patches
Vulnerability mechanics
Root cause
"Missing output sanitization of the plugin_type parameter when constructing error messages for invalid plugin types."
Attack vector
An attacker who is already authenticated as an admin user can craft a malicious `plugin_type` GET parameter containing JavaScript payloads, such as `Bootstrap4CodePlugin">
Affected code
The vulnerability resides in `/cms/admin/forms.py` within the `PluginAddValidationForm` class, specifically in the `clean_plugin_type` method at line 1268. When a `KeyError` is raised for an invalid plugin type, the error message is constructed by directly concatenating the user-supplied `plugin_type` value into the string `"Invalid plugin type '%s'"` without any sanitization [ref_id=1]. This unsanitized message is then returned via `HttpResponseBadRequest` in the `add_plugin` view at `/cms/admin/placeholderadmin.py` (line 307) [ref_id=1].
What the fix does
The patch (available in django-cms 3.7.3) adds output encoding or context-specific filtering to the `plugin_type` value before it is included in the error message [ref_id=1]. The researcher's remediation guidance recommends implementing "Context Specific filtering to the user input which needs to be displayed in the application response" [ref_id=1]. This closes the XSS by ensuring that any HTML/JavaScript metacharacters in the `plugin_type` parameter are neutralized before being reflected in the HTTP response body.
Preconditions
- authAttacker must have valid admin credentials and be logged into the Django CMS application
- configAttacker must have created at least one page in the CMS to obtain a valid placeholder_id
- inputAttacker sends a crafted GET request to the /en/admin/cms/page/add-plugin/ endpoint with a malicious plugin_type parameter
Reproduction
1. Log in to the Django CMS application using admin credentials and create a page. 2. Add a new plugin to the page. 3. Open the following URL in a new browser tab (adjust host, placeholder_id, and cms_path as needed): `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-hx7c-qpfq-xcrpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-44649ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/django-cms/PYSEC-2022-7.yamlghsaWEB
- sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-VulnerabilityghsaWEB
- sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability/mitrex_refsource_MISC
- www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1ghsaWEB
- www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.