CVE-2020-11001: Possible XSS attack in Wagtail
(updated )
A cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user’s credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
References
- github.com/advisories/GHSA-v2wc-pfq2-5cm6
- github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-152.yaml
- github.com/wagtail/wagtail/commit/61045ceefea114c40ac4b680af58990dbe732389
- github.com/wagtail/wagtail/releases/tag/v2.8.1
- github.com/wagtail/wagtail/security/advisories/GHSA-v2wc-pfq2-5cm6
- nvd.nist.gov/vuln/detail/CVE-2020-11001
Detect and mitigate CVE-2020-11001 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →