CVE-2021-29434: Improper validation of URLs ('Cross-site Scripting') in Wagtail rich text fields
(updated )
When saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript:
URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
References
- github.com/advisories/GHSA-wq5h-f9p5-q7fx
- github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-114.yaml
- github.com/wagtail/wagtail
- github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4
- github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c
- github.com/wagtail/wagtail/compare/v2.11.6...v2.11.7
- github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx
- nvd.nist.gov/vuln/detail/CVE-2021-29434
- pypi.org/project/wagtail
Detect and mitigate CVE-2021-29434 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →