Release notes 3.11.9¶
Security fix¶
django CMS 3.11.9 closes a security vulnerability that could allow an attacker to inject malicious code into the page title allowing to load arbitrary javascript code when viewing the page. We recommend that you upgrade to this version as soon as possible.
The security issue is of low severity, since an attacker needs to have access to the django CMS admin interface to exploit it.
Thanks to Ali İltizar (@alii76tt) for reporting the issue.
Note
As ever, we remind our users and contributors that all security reports, patches and concerns be addressed only to our security team by email, at security@django-cms.org.
What’s new in 3.11.9¶
Bug Fixes:¶
XSS vulnerability for page title (#8075) (699f04e9b) – Fabian Braun
fix: Accept legacy action names for page permission check (#8022) (fc4838f99) – Fabian Braun
Statistics:¶
This release includes 4 pull requests, and was created with the help of the following contributors (in alphabetical order):
Fabian Braun (2 pull requests)
With the review help of the following contributors:
Mark Walker
Thanks to all contributors for their efforts!
How to upgrade to 3.11.9¶
We assume you are upgrading from django CMS 3.11.8.
Please make sure that your current database is consistent and in a healthy state, and make a copy of the database before proceeding further.
Then run:
python manage.py migrate # to ensure that your database is up-to-date with migrations
python manage.py cms fix-tree
Check custom code and third-party applications for use of deprecated or removed functionality or APIs (see above). Some third-party components may need to be updated.
Install the new version of django CMS from GitHub or via pip.
Run:
python manage.py migrate
to apply the new migrations.