CVE-2020-15118: Cross-site Scripting

July 20, 2020 (updated July 28, 2020)

When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django’s standard form rendering helpers such as form.as_p, any HTML tags used within a form field’s help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation.

References

docs.wagtail.io/en/stable/reference/contrib/forms/index.html
nvd.nist.gov/vuln/detail/CVE-2020-15118

Detect and mitigate CVE-2020-15118 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →