CVE-2021-29434

Опубликовано: 19 апр. 2021

Источник: nvd

CVSS3: 6.1

CVSS3: 4.8

CVSS2: 3.5

EPSS Низкий

Описание

Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).

Ссылки

https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx
Mitigation
Third Party Advisory
https://pypi.org/project/wagtail/
Product
Third Party Advisory
https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx
Mitigation
Third Party Advisory
https://pypi.org/project/wagtail/
Product
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:torchbox:wagtail:*:*:*:*:-:*:*:*

Версия до 2.11.6 (исключая)

cpe:2.3:a:torchbox:wagtail:*:*:*:*:lts:*:*:*

Версия от 2.11.0 (включая) до 2.11.7 (исключая)

cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*

Версия от 2.12.0 (включая) до 2.12.4 (исключая)

EPSS

Процентиль: 50%

0.00274

Низкий

6.1 Medium

CVSS3

4.8 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-wq5h-f9p5-q7fx

CVSS3: 6.1

github

почти 5 лет назад

Improper validation of URLs ('Cross-site Scripting') in Wagtail rich text fields

EPSS

Процентиль: 50%

0.00274

Низкий

6.1 Medium

CVSS3

4.8 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79