Lucene search
GoogleOSV:PYSEC-2021-114HistoryApr 19, 2021 - 7:15 p.m.
PYSEC-2021-114
2021-04-1919:15:00
Google
osv.dev
12
wagtail cms
django
malicious code
rich text field
protocol validation
vulnerability
admin interface
post request
javascript url
github advisory
workaround
patch
lts 2.11
current 2.12 branch
EPSS
0.001
Percentile
19.4%
Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).
Related
osv
osv
CVE-2021-29434
2021-04-19 19:15:17
prion
prion
Code injection
2021-04-19 19:15:00
github
github
cve
cve
CVE-2021-29434
2021-04-19 19:15:17
veracode
veracode
Cross-site Scripting (XSS)
2021-04-20 04:10:47
nvd
nvd
CVE-2021-29434
2021-04-19 19:15:17
cvelist
cvelist