CVE-2025-29573: 
Python vulnerability analysis and mitigation

A Persistent Cross-Site Scripting (XSS) vulnerability (CVE-2025-29573) was discovered in Mezzanine CMS version 6.0.0, specifically affecting the "View Entries" feature within the Forms module. The vulnerability was discovered on March 5, 2025, and publicly disclosed on May 5, 2025. The issue affects the administrative interface of Mezzanine CMS, a popular content management platform built using the Django framework (Squad AppSec).

The vulnerability occurs due to improper sanitization of file names in the Forms module. The root cause is traced to unsafe rendering of filenames through direct HTML interpolation without proper escaping, specifically in mezzanine/forms/forms.py at line 435 where marksafe('%s' % parts) is used. The mark_safe function in Django instructs the template engine not to escape the content, leading to potential execution of malicious code when combined with untrusted input like user-submitted filenames. The vulnerability has received a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Squad AppSec).

The vulnerability is considered high severity as it affects the administrative interface of Mezzanine CMS. Successful exploitation can lead to session hijacking, privilege escalation through internal API abuse, UI manipulation for phishing attacks, and unauthorized actions through session riding. The persistent nature of the XSS means the payload remains stored in the system and executes every time an admin views the affected entry, potentially compromising multiple admin accounts in multi-admin environments (Squad AppSec).

Recommended mitigations include applying patches when available from project maintainers, implementing proper sanitization of file names and user inputs before HTML rendering, and avoiding the use of mark_safe on untrusted content without proper escaping. As of the last update, no response had been received from project maintainers regarding a fix (Squad AppSec).