CVE-2024-11406: 
Python vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in django CMS Attributes Fields affecting versions before 4.0. The vulnerability (CVE-2024-11406) exists because the application did not properly validate attributes when validating the form field, although it did validate them in the model field. This security issue specifically affects applications using the form field, such as django CMS Frontend (Django CMS Blog).

The vulnerability resides in the Django CMS admin panel under the Page Editing interface, specifically when utilizing the 'Add plugin to placeholder Page Content' feature. The issue occurs when editing page content, where plugins such as 'card' and 'badge' allow injection of unsanitized input in the 'Advanced settings' section. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.9 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N (ILTOSEC Blog).

The vulnerability allows malicious actors to inject and store XSS payloads through the attributes field, which could be executed when other users access the affected content. This could lead to potential compromise of user data and unauthorized actions within the application (Django CMS Blog).

The vulnerability has been fixed in django CMS Attributes Field version 4.0. The update includes validation for form fields and by default disallows attributes that can execute JavaScript. The fix has been implemented through a patch that adds form field validation and introduces default excluded keys such as 'src', 'href', 'data', 'action', and 'on*' to prevent JavaScript execution. Users are strongly recommended to upgrade to version 4.0 (Django CMS Blog).