Stored Cross-Site Scripting (XSS) in admin interface - responsible disclosure

[cx-alex-shleymovich]

Hi,

I'm a security analyst at Checkmarx CxResearch group, a global software security company focused on promoting safer code and libraries.

We've discovered a stored XSS vulnerability in Mezzanine and would like to share a detailed report privately. Unfortunately, the email in the README is no longer valid.

Could you please provide a current email address for this disclosure? We tried [email protected] from PyPI but received no response.

cc: @molokov @kenbolton @jerivas @stephenmcd

Thank you in advance!

[molokov]

Did you try [email protected] ? This is the email address listed for security issues in the README.md

(I'm not on the core team - @henri-hulski is possibly the person to contact)

[cx-alex-shleymovich]

Thank you for your quick response @molokov, @henri-hulski

We initially tried reaching out through [email protected], but the domain no longer exists.

We understand that Mezzanine may not have a formal security disclosure pipeline, which is exactly why we'd like to help establish proper documentation for this vulnerability. Even though this is classified as a low-severity issue (affecting only admin users), it's still important to catalog it properly for the community.

Checkmarx is a registered CNA, so we can handle the CVE assignment process completely free of charge - no costs or fees involved whatsoever. Our goal is to support the open-source community by ensuring security vulnerabilities are properly documented and tracked. This helps users make informed decisions about their dependencies and enables security tools to identify known issues. We'll also provide you with a detailed technical report that includes mitigation steps to help address the vulnerability.

If you have any questions, please do not hesitate to get in touch with us.

Thank you for your attention to this matter.

[henri-hulski]

So what we can do to fix this vulnerability?

[cx-alex-shleymovich]

@henri-hulski Thank you for your willingness to help!

Since this GitHub discussion cannot be made private and the repository doesn't have GitHub Security Advisories enabled (which would allow private vulnerability reporting), I need an alternative way to share the detailed technical report securely.
What would be your preferred method for receiving the vulnerability details? I can share the report via:

• Email (if you can provide an address)
• Private GitHub repository (I can create one and add you as a collaborator)
• Any other secure communication method you prefer

The report includes technical details, proof-of-concept, and recommended mitigation steps that should remain confidential until a patch is implemented.

[cx-alex-shleymovich]

Hi @henri-hulski, just following up on this. I’m ready to share the technical details and mitigation steps for the XSS vulnerability, but need a secure way to send you the report. Would you be able to provide an email address, or would you prefer I create a private GitHub repository and add you as a collaborator? Please let me know your preference so we can help get this resolved for the community. Thank you!

[henri-hulski]

My email is henri.hulski at gazeta.pl.

[henri-hulski]

Should be fixed now.
898630d

[cx-alex-shleymovich]

Thank you for being so helpful, @henri-hulski.
I confirm the issue is now fixed.

Checkmarx has recently become an active CNA, so if you agree, we will gladly attribute a CVE to catalog this case. Our intent is to formally track and document a CVE for cases like this. Properly cataloging these vulnerabilities with CVEs benefits both users and the broader security community by providing standardized identification for security issues and enabling more effective vulnerability management for organizations still using affected versions.

[henri-hulski]

That's ok for me.