CVE-2020-15118: Cross-site Scripting
(updated )
When a form page type is made available to Wagtail editors through the wagtail.contrib.forms
app, and the page template is built using Django’s standard form rendering helpers such as form.as_p
, any HTML tags used within a form field’s help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation.
References
Detect and mitigate CVE-2020-15118 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →