CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-29434 – Improper validation of URLs ('Cross-site Scripting') in Wagtail rich text fields
https://notcve.org/view.php?id=CVE-2021-29434
Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. • https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx https://pypi.org/project/wagtail • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15118 – Cross-Site Scripting in Wagtail
https://notcve.org/view.php?id=CVE-2020-15118
In Wagtail before versions 2.7.4 and 2.9.3, when a form page type is made available to Wagtail editors through the `wagtail.contrib.forms` app, and the page template is built using Django's standard form rendering helpers such as form.as_p, any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.4 (for the LTS 2.7 branch) and Wagtail 2.9.3 (for the current 2.9 branch). • https://docs.djangoproject.com/en/3.0/ref/models/fields/#django.db.models.Field.help_text https://docs.wagtail.io/en/stable/reference/contrib/forms/index.html#usage https://github.com/wagtail/wagtail/blob/master/docs/releases/2.9.3.rst https://github.com/wagtail/wagtail/commit/d9a41e7f24d08c024acc9a3094940199df94db34 https://github.com/wagtail/wagtail/security/advisories/GHSA-2473-9hgq-j7xw • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •