Identifier

CVE-2020-15118

Package Slug

pypi/wagtail

Vulnerability

Cross-site Scripting

Description

When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.as_p, any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation.

Affected Versions

All versions starting from 2.7 before 2.7.4, all versions starting from 2.9 before 2.9.3

Solution

Upgrade to versions 2.7.4, 2.9.3 or above.

Last Modified

2020-07-30

source