CVE-2021-32681

Improper escaping of HTML ('Cross-site Scripting') in Wagtail StreamField blocks

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with 'editor' access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django's `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.

Wagtail es un sistema de administración de contenidos de código abierto construido sobre Django. Se presenta una vulnerabilidad de tipo cross-site scripting en versiones 2.13-2.13.1, versiones 2.12-2.12.4 y versiones anteriores a 2.11.8. Cuando es usada la etiqueta de plantilla "{% include_block %}" para dar salida al valor de un bloque StreamField de texto plano ("CharBlock", "TextBlock" o un bloque similar definido por el usuario y derivado de "FieldBlock"), y ese bloque no especifica una plantilla para su renderización, la salida de la etiqueta no se escapa apropiadamente como HTML. Esto podría permitir a usuarios insertar HTML o scripts arbitrarios. Esta vulnerabilidad sólo es explotada por usuarios con la habilidad de autoría del contenido de StreamField (es decir, usuarios con acceso "editor" al administrador de Wagtail). Las versiones parcheadas han sido publicadas como Wagtail versión 2.11.8 (para la rama LTS 2.11), Wagtail versión 2.12.5, y Wagtail versión 2.13.2 (para la rama actual 2.13). Como solución, los implementadores de sitios que no puedan actualizarse a una versión compatible actual deberían auditar su uso de "{% include_block %}" para asegurarse de que no se usa para dar salida a valores "CharBlock" / "TextBlock" sin plantilla asociada. Tenga en cuenta que esto sólo es aplicado cuando "{% include_block %}" es usado directamente en ese bloque (los usos de "include_block" en un bloque que _contiene_ un CharBlock / TextBlock, como un StructBlock, no están afectados). En estos casos, la etiqueta puede sustituirse por la sintaxis de Django "{{ ... }}" - por ejemplo, "{% include_block my_title_block %}" se convierte en "{{ my_title_block }}"

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-12 CVE Reserved
2021-06-17 CVE Published
2023-03-07 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (4)

URL	Tag	Source
https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf	Mitigation

URL	Date	SRC
https://github.com/wagtail/wagtail/releases/tag/v2.11.8	2024-08-03
https://github.com/wagtail/wagtail/releases/tag/v2.12.5	2024-08-03
https://github.com/wagtail/wagtail/releases/tag/v2.13.2	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Torchbox Search vendor "Torchbox"		Wagtail Search vendor "Torchbox" for product "Wagtail"				< 2.11.8 Search vendor "Torchbox" for product "Wagtail" and version " < 2.11.8"		-		Affected
Torchbox Search vendor "Torchbox"		Wagtail Search vendor "Torchbox" for product "Wagtail"				>= 2.12 <= 2.12.4 Search vendor "Torchbox" for product "Wagtail" and version " >= 2.12 <= 2.12.4"		-		Affected
Torchbox Search vendor "Torchbox"		Wagtail Search vendor "Torchbox" for product "Wagtail"				>= 2.13 <= 2.13.1 Search vendor "Torchbox" for product "Wagtail" and version " >= 2.13 <= 2.13.1"		-		Affected