Possible XSS attack in Wagtail
CVE-2020-11001

5.8MEDIUM

Key Information:

Vendor: Wagtail
Status: Wagtail
Vendor: CVE Published:; 14 April 2020

What is CVE-2020-11001?

In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).

Affected Version(s)

wagtail < 2.7.2 < 2.7.2

wagtail >= 2.8.0, < 2.8.1 < 2.8.0, 2.8.1

References

https://github.com/wagtail/wagtail/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2020
Vulnerability Reserved
Mar 30, 2020

CVE-2020-11001 Data

JSON