CVE-2025-29573

Vulnerability

Overview

CVE-2025-29573 is a persistent Cross-Site Scripting (XSS) vulnerability in Mezzanine CMS version 6.0.0, specifically within the Forms module's "View Entries" feature. The root cause is the unsafe use of Django's mark_safe function on line 435 of mezzanine/forms/forms.py, which marks a filename as safe HTML without escaping. When an administrator views form submissions that include a file upload field, the filename is rendered directly into the page, allowing an attacker to inject arbitrary JavaScript code via a malicious filename [1][3].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must be able to submit a form that includes a file upload field. The attacker uploads a file with a crafted filename containing a JavaScript payload, such as `. No authentication is required for the submission itself, but the payload triggers only when an authenticated administrator accesses the form entries view at /admin/forms/entries/` [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the administrator's browser session. This can lead to theft of session cookies, defacement of the admin interface, or further actions within the CMS with elevated privileges. The vulnerability is considered high severity because it targets the administrative interface, which has access to sensitive data and configuration [3].

Mitigation

Status

As of the publication date, no official patch has been released by the Mezzanine project maintainers. The vulnerability was disclosed in March 2025, and the project has not responded. Users are advised to apply input sanitization on filenames or restrict file upload functionality until a fix is available [3].