FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Wagtail -- XSS vulnerability

Affected packages
2.8.0 <= py36-wagtail < 2.9.3
py36-wagtail < 2.7.4
2.8.0 <= py37-wagtail < 2.9.3
py37-wagtail < 2.7.4
2.8.0 <= py38-wagtail < 2.9.3
py38-wagtail < 2.7.4

Details

VuXML ID e1d3a580-cd8b-11ea-bad0-08002728f74c
Discovery 2020-07-20
Entry 2020-07-24

GitHub Advisory Database:

When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.as_p (as directed in the documentation), any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

References

CVE Name CVE-2020-15118
URL https://github.com/advisories/GHSA-2473-9hgq-j7xw