Bugzilla – Bug 936357
VUL-0: CVE-2015-5081: python-django,python-Django: Re: CVE Request: Django CMS
Last modified: 2017-08-24 21:51:50 UTC
From: Matthew Wilkes <matthew () matthewwilkes co uk>
Date: Sun, 28 Jun 2015 00:23:10 +0100
Can a CVE be assigned to this issue, please?
It's a CSRF issue around publishing of draft changes in Django CMS. Versions affected are Django CMS <3.0.14 and <3.1.1. I haven't verified its presence in Django CMS <3.0, I'm afraid.
The relevant commit is:
The vendor credits with the discovery:
* Sylvain Fankhauser of L//P
* Matthew Wilkes of The Code Distillery
Thanks, let me know if you'd like more information.
a CSRF issue around publishing of draft changes
Use CVE-2015-5081 for the CSRF issue.
The cms.changelist.js and cms.toolbar.js changes include a comment
"send post request to prevent xss attacks." The "xss" word choice
might be a mistake. We are not currently assigning a CVE ID for a
separate XSS issue.
Sylvain Fankhauser of L//P and Matthew Wilkes of The Code Distillery,
who discovered and privately demonstrated to the django CMS core
developers an important CSRF vulnerability and contacted us through
the documented channels.
CVE IDs were not assigned on a per-discoverer basis here because there
was no available information suggesting that different persons
independently discovered different CSRF problems.
hmm, this is about django cms, not django itself apparently