GHSA-7pr5-w74r-jjj7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7pr5-w74r-jjj7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-7pr5-w74r-jjj7/GHSA-7pr5-w74r-jjj7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7pr5-w74r-jjj7
- Aliases
- Published
- 2025-06-17T12:31:15Z
- Modified
- 2025-07-15T01:15:52.338723Z
- Severity
-
- 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N CVSS Calculator
- Summary
- Mezzanine CMS has a Stored Cross-Site Scripting (XSS) vulnerability in the displayable_links_js function
- Details
-
Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in the admin interface. The vulnerability exists in the "displayablelinksjs" function, which fails to properly sanitize blog post titles before including them in JSON responses served via "/admin/displayablelinks.js". An authenticated admin user can create a blog post with a malicious JavaScript payload in the title field, then trick another admin user into clicking a direct link to the "/admin/displayablelinks.js" endpoint, causing the malicious script to execute in their browser.
- Database specific
{ "severity": "MODERATE", "github_reviewed_at": "2025-06-17T15:38:10Z", "nvd_published_at": "2025-06-17T11:15:22Z", "cwe_ids": [ "CWE-79" ], "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-6050
- https://github.com/stephenmcd/mezzanine/commit/898630d8df48cf3ddb8b9942f59168b93216e3f8
- https://advisory.checkmarx.net/advisory/CVE-2025-6050
- https://github.com/stephenmcd/mezzanine
- https://github.com/stephenmcd/mezzanine/discussions/2080
- https://https://github.com/stephenmcd/mezzanine/commit/898630d8df48cf3ddb8b9942f59168b93216e3f8
Affected packages
PyPI / mezzanine
Package
- Name
- mezzanine
- View open source insights on deps.dev
- Purl
- pkg:pypi/mezzanine
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.1
Affected versions
0.*
0.1
0.1.1
0.1.2
0.1.3
0.1.4
0.2
0.2.1
0.2.2
0.2.3
0.2.4
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.4
0.5.1
0.5.2
0.5.3
0.5.4
0.6
0.6.1
0.6.2
0.6.3
0.6.4
0.7
0.7.2
0.8
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.9
0.9.1
0.10
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.11
0.11.1
0.11.2
0.11.3
0.11.4
0.11.5
0.11.6
0.11.7
0.11.8
0.11.9
0.11.10
0.12
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.4.10
1.4.11
1.4.12
1.4.13
1.4.14
1.4.15
1.4.16
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
4.*
4.0.0
4.0.1
4.1.0
4.2.0
4.2.1
4.2.2
4.2.3
4.3.0
4.3.1
5.*
5.0.0a1
5.0.0rc1
5.0.0
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
6.*
6.0.0
6.0.1
6.1.0