CVE-2020-15118, GHSA-2473-9hgq-j7xw
pypi/wagtail
Cross-site Scripting
When a form page type is made available to Wagtail editors through the wagtail.contrib.forms
app, and the page template is built using Django's standard form rendering helpers such as form.as_p
, any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation.
All versions starting from 2.7 before 2.7.4, all versions starting from 2.9 before 2.9.3
Upgrade to versions 2.7.4, 2.9.3 or above.
2020-07-30
source |