Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXYyd2MtcGZxMi01Y202
Possible XSS attack in Wagtail
Impact
A cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
Patches
Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).
Workarounds
Site owners who are unable to upgrade to the new versions can disable the revision comparison view by adding the following URL route to the top of their project's urls.py configuration:
from django.views.generic.base import RedirectView
urlpatterns = [
url(r'^admin/pages/(\d+)/revisions/compare/', RedirectView.as_view(url='/admin/')),
# ...
]
Acknowledgements
Many thanks to Vlad Gerasimenko for reporting this issue.
For more information
If you have any questions or comments about this advisory:
- Visit Wagtail's support channels
- Email us at [email protected] (if you wish to send encrypted email, the public key ID is
0x6ba1e1a86e0f8ce8)
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXYyd2MtcGZxMi01Y202
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: almost 2 years ago
CVSS Score: 5.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
Identifiers: GHSA-v2wc-pfq2-5cm6, CVE-2020-11001
References:
- https://github.com/wagtail/wagtail/security/advisories/GHSA-v2wc-pfq2-5cm6
- https://github.com/wagtail/wagtail/commit/61045ceefea114c40ac4b680af58990dbe732389
- https://github.com/wagtail/wagtail/releases/tag/v2.8.1
- https://nvd.nist.gov/vuln/detail/CVE-2020-11001
- https://github.com/advisories/GHSA-v2wc-pfq2-5cm6
Blast Radius: 19.1
Affected Packages
pypi:wagtail
Dependent packages: 200Dependent repositories: 1,955
Downloads: 268,592 last month
Affected Version Ranges: = 2.8.0, >= 1.9.0, < 2.7.2
Fixed in: 2.8.1, 2.7.2
All affected versions: 1.9.1, 1.10.1, 1.11.1, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 2.0.1, 2.0.2, 2.1.1, 2.1.2, 2.1.3, 2.2.1, 2.2.2, 2.5.1, 2.5.2, 2.6.1, 2.6.2, 2.6.3, 2.7.1
All unaffected versions: 0.3.1, 0.4.1, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 1.3.1, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.1, 1.5.2, 1.5.3, 1.6.1, 1.6.2, 1.6.3, 1.8.1, 1.8.2, 2.7.2, 2.7.3, 2.7.4, 2.8.1, 2.8.2, 2.9.1, 2.9.2, 2.9.3, 2.10.1, 2.10.2, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.7, 2.11.8, 2.11.9, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.12.6, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.14.1, 2.14.2, 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.15.6, 2.16.1, 2.16.2, 2.16.3, 3.0.1, 3.0.2, 3.0.3, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.1, 5.1.2, 5.1.3, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1.1, 6.1.2, 6.1.3, 6.2.1, 6.2.2, 6.2.3