CVE-2025-6050: 
Python vulnerability analysis and mitigation

Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-6050) discovered by Checkmarx CxResearch group and disclosed on May 21, 2025. The vulnerability exists in the admin interface, specifically in the 'displayablelinksjs' function, which fails to properly sanitize blog post titles before including them in JSON responses served via '/admin/displayable_links.js' (NVD, Wiz).

The vulnerability stems from improper sanitization of blog post titles in the 'displayablelinksjs' function. When these titles are included in JSON responses served through the '/admin/displayable_links.js' endpoint, the lack of proper sanitization allows for stored XSS attacks. The vulnerability has been assigned a CVSS v4.0 score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N, indicating that while the vulnerability requires high privileges, it can be exploited over the network with low attack complexity (NVD).

The vulnerability allows an authenticated admin user to create a blog post with a malicious JavaScript payload in the title field, which can then be used to execute arbitrary JavaScript code in another admin user's browser when they access the affected endpoint. While the impact is limited to admin users, it could potentially lead to unauthorized actions being performed with administrative privileges (Wiz).

The vulnerability has been fixed in Mezzanine CMS version 6.1.1. Users are advised to upgrade to this version or later to address the security issue. The fix was implemented in commit 898630d (GitHub Discussion).

The vulnerability was responsibly disclosed by Checkmarx CxResearch group through GitHub discussions after attempts to contact the maintainers through various channels. The Mezzanine team, particularly Henri Hulski, responded promptly to the disclosure and implemented a fix (GitHub Discussion).