CVE-2020-15118: Cross-Site Scripting in Wagtail
(updated )
When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django’s standard form rendering helpers such as form.as_p (as directed in the documentation), any HTML tags used within a form field’s help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
References
- docs.djangoproject.com/en/3.0/ref/models/fields/
- docs.wagtail.io/en/stable/reference/contrib/forms/index.html
- github.com/advisories/GHSA-2473-9hgq-j7xw
- github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-154.yaml
- github.com/wagtail/wagtail
- github.com/wagtail/wagtail/blob/master/docs/releases/2.9.3.rst
- github.com/wagtail/wagtail/commit/d9a41e7f24d08c024acc9a3094940199df94db34
- github.com/wagtail/wagtail/security/advisories/GHSA-2473-9hgq-j7xw
- nvd.nist.gov/vuln/detail/CVE-2020-15118
Detect and mitigate CVE-2020-15118 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →