cvelistv5 - cve-2021-29434

CVE-2021-29434 (GCVE-0-2021-29434)

Vulnerability from cvelistv5 – Published: 2021-04-19 18:45 – Updated: 2024-08-03 22:02

Summary

Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

CWE

CWE-79 - {"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}

Assigner

GitHub_M

References

URL

Tags

	https://github.com/wagtail/wagtail/security/advis…	x_refsource_CONFIRM
	https://pypi.org/project/wagtail/	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	wagtail	wagtail	Affected: <= 2.11.6 Affected: >= 2.12, <= 2.12.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T22:02:51.911Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pypi.org/project/wagtail/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wagtail",
          "vendor": "wagtail",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.11.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.12, \u003c= 2.12.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-19T18:45:14",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pypi.org/project/wagtail/"
        }
      ],
      "source": {
        "advisory": "GHSA-wq5h-f9p5-q7fx",
        "discovery": "UNKNOWN"
      },
      "title": "Improper validation of URLs (\u0027Cross-site Scripting\u0027) in Wagtail rich text fields",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-29434",
          "STATE": "PUBLIC",
          "TITLE": "Improper validation of URLs (\u0027Cross-site Scripting\u0027) in Wagtail rich text fields"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "wagtail",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c= 2.11.6"
                          },
                          {
                            "version_value": "\u003e= 2.12, \u003c= 2.12.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "wagtail"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx",
              "refsource": "CONFIRM",
              "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"
            },
            {
              "name": "https://pypi.org/project/wagtail/",
              "refsource": "MISC",
              "url": "https://pypi.org/project/wagtail/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-wq5h-f9p5-q7fx",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-29434",
    "datePublished": "2021-04-19T18:45:14",
    "dateReserved": "2021-03-30T00:00:00",
    "dateUpdated": "2024-08-03T22:02:51.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:torchbox:wagtail:*:*:*:*:-:*:*:*\", \"versionEndExcluding\": \"2.11.6\", \"matchCriteriaId\": \"D49567BA-C5CC-43C3-AF42-EA0C310D579C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:torchbox:wagtail:*:*:*:*:lts:*:*:*\", \"versionStartIncluding\": \"2.11.0\", \"versionEndExcluding\": \"2.11.7\", \"matchCriteriaId\": \"12C5EC90-1517-407D-8FD2-48EC03048565\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.12.0\", \"versionEndExcluding\": \"2.12.4\", \"matchCriteriaId\": \"4EB39BD7-9D15-4076-BB7B-41183023FA60\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).\"}, {\"lang\": \"es\", \"value\": \"Wagtail es un sistema de gesti\\u00f3n de contenido de Django.\u0026#xa0;En las versiones afectadas de Wagtail, al guardar el contenido de un campo de texto enriquecido en la interfaz de administraci\\u00f3n, Wagtail no aplica comprobaciones del lado del servidor para garantizar a las URL de los enlaces usar un protocolo v\\u00e1lido.\u0026#xa0;Un usuario malicioso con acceso a la interfaz de administraci\\u00f3n podr\\u00eda entonces dise\\u00f1ar una petici\\u00f3n POST para publicar contenido con URLs \\\"javascript:\\\" que contengan c\\u00f3digo arbitrario.\u0026#xa0;La vulnerabilidad no es explotable por un visitante ordinario del sitio sin acceso al administrador de Wagtail.\u0026#xa0;V\\u00e9ase el aviso de GitHub al que se hace referencia para obtener detalles adicionales, incluyendo una soluci\\u00f3n alternativa.\u0026#xa0;Las versiones parcheadas ha sido lanzadas como Wagtail versi\\u00f3n 2.11.7 (para la rama LTS 2.11) y Wagtail versi\\u00f3n 2.12.4 (para la rama 2.12 actual)\"}]",
      "id": "CVE-2021-29434",
      "lastModified": "2024-11-21T06:01:05.397",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.7, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-04-19T19:15:17.610",
      "references": "[{\"url\": \"https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"https://pypi.org/project/wagtail/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"https://pypi.org/project/wagtail/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-29434\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-04-19T19:15:17.610\",\"lastModified\":\"2024-11-21T06:01:05.397\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).\"},{\"lang\":\"es\",\"value\":\"Wagtail es un sistema de gesti\u00f3n de contenido de Django.\u0026#xa0;En las versiones afectadas de Wagtail, al guardar el contenido de un campo de texto enriquecido en la interfaz de administraci\u00f3n, Wagtail no aplica comprobaciones del lado del servidor para garantizar a las URL de los enlaces usar un protocolo v\u00e1lido.\u0026#xa0;Un usuario malicioso con acceso a la interfaz de administraci\u00f3n podr\u00eda entonces dise\u00f1ar una petici\u00f3n POST para publicar contenido con URLs \\\"javascript:\\\" que contengan c\u00f3digo arbitrario.\u0026#xa0;La vulnerabilidad no es explotable por un visitante ordinario del sitio sin acceso al administrador de Wagtail.\u0026#xa0;V\u00e9ase el aviso de GitHub al que se hace referencia para obtener detalles adicionales, incluyendo una soluci\u00f3n alternativa.\u0026#xa0;Las versiones parcheadas ha sido lanzadas como Wagtail versi\u00f3n 2.11.7 (para la rama LTS 2.11) y Wagtail versi\u00f3n 2.12.4 (para la rama 2.12 actual)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.9,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:torchbox:wagtail:*:*:*:*:-:*:*:*\",\"versionEndExcluding\":\"2.11.6\",\"matchCriteriaId\":\"D49567BA-C5CC-43C3-AF42-EA0C310D579C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:torchbox:wagtail:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"2.11.0\",\"versionEndExcluding\":\"2.11.7\",\"matchCriteriaId\":\"12C5EC90-1517-407D-8FD2-48EC03048565\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.12.0\",\"versionEndExcluding\":\"2.12.4\",\"matchCriteriaId\":\"4EB39BD7-9D15-4076-BB7B-41183023FA60\"}]}]}],\"references\":[{\"url\":\"https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://pypi.org/project/wagtail/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://pypi.org/project/wagtail/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\",\"Third Party Advisory\"]}]}}"
  }
}

FKIE_CVE-2021-29434

Vulnerability from fkie_nvd - Published: 2021-04-19 19:15 - Updated: 2024-11-21 06:01

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx	Mitigation, Third Party Advisory
security-advisories@github.com	https://pypi.org/project/wagtail/	Product, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx	Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://pypi.org/project/wagtail/	Product, Third Party Advisory

Impacted products

Vendor	Product	Version
torchbox	wagtail	*
torchbox	wagtail	*
torchbox	wagtail	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "D49567BA-C5CC-43C3-AF42-EA0C310D579C",
              "versionEndExcluding": "2.11.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:lts:*:*:*",
              "matchCriteriaId": "12C5EC90-1517-407D-8FD2-48EC03048565",
              "versionEndExcluding": "2.11.7",
              "versionStartIncluding": "2.11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4EB39BD7-9D15-4076-BB7B-41183023FA60",
              "versionEndExcluding": "2.12.4",
              "versionStartIncluding": "2.12.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch)."
    },
    {
      "lang": "es",
      "value": "Wagtail es un sistema de gesti\u00f3n de contenido de Django.\u0026#xa0;En las versiones afectadas de Wagtail, al guardar el contenido de un campo de texto enriquecido en la interfaz de administraci\u00f3n, Wagtail no aplica comprobaciones del lado del servidor para garantizar a las URL de los enlaces usar un protocolo v\u00e1lido.\u0026#xa0;Un usuario malicioso con acceso a la interfaz de administraci\u00f3n podr\u00eda entonces dise\u00f1ar una petici\u00f3n POST para publicar contenido con URLs \"javascript:\" que contengan c\u00f3digo arbitrario.\u0026#xa0;La vulnerabilidad no es explotable por un visitante ordinario del sitio sin acceso al administrador de Wagtail.\u0026#xa0;V\u00e9ase el aviso de GitHub al que se hace referencia para obtener detalles adicionales, incluyendo una soluci\u00f3n alternativa.\u0026#xa0;Las versiones parcheadas ha sido lanzadas como Wagtail versi\u00f3n 2.11.7 (para la rama LTS 2.11) y Wagtail versi\u00f3n 2.12.4 (para la rama 2.12 actual)"
    }
  ],
  "id": "CVE-2021-29434",
  "lastModified": "2024-11-21T06:01:05.397",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-04-19T19:15:17.610",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://pypi.org/project/wagtail/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://pypi.org/project/wagtail/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

PYSEC-2021-114

Vulnerability from pysec - Published: 2021-04-19 19:15 - Updated: 2021-04-29 14:24

Details

Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).

Impacted products

Name	purl
wagtail	pkg:pypi/wagtail

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail",
        "purl": "pkg:pypi/wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11"
            },
            {
              "fixed": "2.11.7"
            },
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.6"
            },
            {
              "introduced": "2.12"
            },
            {
              "fixed": "2.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1",
        "0.2",
        "0.3",
        "0.3.1",
        "0.4",
        "0.4.1",
        "0.5",
        "0.6",
        "0.7",
        "0.8",
        "0.8.1",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.8.5",
        "0.8.6",
        "0.8.7",
        "0.8.8",
        "0.8.9",
        "0.8.10",
        "1.0b1",
        "1.0b2",
        "1.0rc1",
        "1.0rc2",
        "1.0",
        "1.1rc1",
        "1.1",
        "1.2rc1",
        "1.2",
        "1.3rc1",
        "1.3",
        "1.3.1",
        "1.4rc1",
        "1.4",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.5rc1",
        "1.5",
        "1.5.1",
        "1.5.2",
        "1.5.3",
        "1.6rc1",
        "1.6",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.7rc1",
        "1.7",
        "1.8rc1",
        "1.8",
        "1.8.1",
        "1.8.2",
        "1.9rc1",
        "1.9",
        "1.9.1",
        "1.10rc1",
        "1.10",
        "1.10.1",
        "1.11rc1",
        "1.11",
        "1.11.1",
        "1.12rc1",
        "1.12",
        "1.12.1",
        "1.12.2",
        "1.12.3",
        "1.12.4",
        "1.12.5",
        "1.12.6",
        "1.13rc1",
        "1.13",
        "1.13.1",
        "1.13.2",
        "1.13.3",
        "1.13.4",
        "2.0b1",
        "2.0rc1",
        "2.0",
        "2.0.1",
        "2.0.2",
        "2.1rc1",
        "2.1rc2",
        "2.1",
        "2.1.1",
        "2.1.2",
        "2.1.3",
        "2.2rc1",
        "2.2rc2",
        "2.2",
        "2.2.1",
        "2.2.2",
        "2.3rc1",
        "2.3rc2",
        "2.3",
        "2.4rc1",
        "2.4",
        "2.5rc1",
        "2.5",
        "2.5.1",
        "2.5.2",
        "2.6rc1",
        "2.6",
        "2.6.1",
        "2.6.2",
        "2.6.3",
        "2.7rc1",
        "2.7rc2",
        "2.7",
        "2.7.1",
        "2.7.2",
        "2.7.3",
        "2.7.4",
        "2.8rc1",
        "2.8",
        "2.8.1",
        "2.8.2",
        "2.9rc1",
        "2.9",
        "2.9.1",
        "2.9.2",
        "2.9.3",
        "2.10rc1",
        "2.10rc2",
        "2.10",
        "2.10.1",
        "2.10.2",
        "2.11rc1",
        "2.11",
        "2.11.1",
        "2.11.2",
        "2.11.3",
        "2.11.4",
        "2.11.5",
        "2.11.6",
        "2.12",
        "2.12.1",
        "2.12.2",
        "2.12.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29434",
    "GHSA-wq5h-f9p5-q7fx"
  ],
  "details": "Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).",
  "id": "PYSEC-2021-114",
  "modified": "2021-04-29T14:24:00Z",
  "published": "2021-04-19T19:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/wagtail/"
    }
  ]
}

GSD-2021-29434

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-29434

Aliases

CVE-2021-29434

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-29434",
    "description": "Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).",
    "id": "GSD-2021-29434"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-29434"
      ],
      "details": "Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).",
      "id": "GSD-2021-29434",
      "modified": "2023-12-13T01:23:36.986975Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-29434",
        "STATE": "PUBLIC",
        "TITLE": "Improper validation of URLs (\u0027Cross-site Scripting\u0027) in Wagtail rich text fields"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "wagtail",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c= 2.11.6"
                        },
                        {
                          "version_value": "\u003e= 2.12, \u003c= 2.12.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "wagtail"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch)."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx",
            "refsource": "CONFIRM",
            "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"
          },
          {
            "name": "https://pypi.org/project/wagtail/",
            "refsource": "MISC",
            "url": "https://pypi.org/project/wagtail/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-wq5h-f9p5-q7fx",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=2.11.0,\u003c2.11.7||\u003e=2.12.0,\u003c2.12.4",
          "affected_versions": "All versions starting from 2.11.0 before 2.11.7, all versions starting from 2.12.0 before 2.12.4",
          "cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2021-04-29",
          "description": "When saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail (for the branch) and Wagtail (for the current branch).",
          "fixed_versions": [
            "2.11.7",
            "2.12.4"
          ],
          "identifier": "CVE-2021-29434",
          "identifiers": [
            "CVE-2021-29434",
            "GHSA-wq5h-f9p5-q7fx"
          ],
          "not_impacted": "All versions before 2.11.0, all versions starting from 2.11.7 before 2.12.0, all versions starting from 2.12.4",
          "package_slug": "pypi/wagtail",
          "pubdate": "2021-04-19",
          "solution": "Upgrade to versions 2.11.7, 2.12.4 or above.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-29434"
          ],
          "uuid": "49e9aae5-321e-4a8b-a1f6-be874c73e5b7"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.11.7",
                "versionStartIncluding": "2.11.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:-:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.11.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.12.4",
                "versionStartIncluding": "2.12.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-29434"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx",
              "refsource": "CONFIRM",
              "tags": [
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"
            },
            {
              "name": "https://pypi.org/project/wagtail/",
              "refsource": "MISC",
              "tags": [
                "Product",
                "Third Party Advisory"
              ],
              "url": "https://pypi.org/project/wagtail/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.7,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2021-04-29T14:24Z",
      "publishedDate": "2021-04-19T19:15Z"
    }
  }
}

GHSA-WQ5H-F9P5-Q7FX

Vulnerability from github – Published: 2021-04-20 14:02 – Updated: 2024-11-19 16:02

Summary

Improper validation of URLs ('Cross-site Scripting') in Wagtail rich text fields

Details

Impact

When saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).

Workarounds

For sites that cannot easily upgrade to a current supported version, the vulnerability can be patched by adding the following code to a wagtail_hooks.py module in any installed app:

from draftjs_exporter.dom import DOM
from wagtail.admin.rich_text.converters.html_to_contentstate import ExternalLinkElementHandler, PageLinkElementHandler
from wagtail.core import hooks
from wagtail.core.whitelist import check_url


def link_entity(props):
    id_ = props.get('id')
    link_props = {}

    if id_ is not None:
        link_props['linktype'] = 'page'
        link_props['id'] = id_
    else:
        link_props['href'] = check_url(props.get('url'))

    return DOM.create_element('a', link_props, props['children'])


@hooks.register('register_rich_text_features', order=1)
def register_link(features):
    features.register_converter_rule('contentstate', 'link', {
        'from_database_format': {
            'a[href]': ExternalLinkElementHandler('LINK'),
            'a[linktype="page"]': PageLinkElementHandler('LINK'),
        },
        'to_database_format': {
            'entity_decorators': {'LINK': link_entity}
        }
    })

Acknowledgements

Many thanks to Kevin Breen for reporting this issue.

For more information

If you have any questions or comments about this advisory:

Visit Wagtail's support channels
Email us at security@wagtail.io (if you wish to send encrypted email, the public key ID is 0x6ba1e1a86e0f8ce8)

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

8.4 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.6"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.12.3"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12"
            },
            {
              "fixed": "2.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-19T18:46:26Z",
    "nvd_published_at": "2021-04-19T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.\n\n### Patches\nPatched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).\n\n### Workarounds\nFor sites that cannot easily upgrade to a current supported version, the vulnerability can be patched by adding the following code to a `wagtail_hooks.py` module in any installed app:\n\n```python\nfrom draftjs_exporter.dom import DOM\nfrom wagtail.admin.rich_text.converters.html_to_contentstate import ExternalLinkElementHandler, PageLinkElementHandler\nfrom wagtail.core import hooks\nfrom wagtail.core.whitelist import check_url\n\n\ndef link_entity(props):\n    id_ = props.get(\u0027id\u0027)\n    link_props = {}\n\n    if id_ is not None:\n        link_props[\u0027linktype\u0027] = \u0027page\u0027\n        link_props[\u0027id\u0027] = id_\n    else:\n        link_props[\u0027href\u0027] = check_url(props.get(\u0027url\u0027))\n\n    return DOM.create_element(\u0027a\u0027, link_props, props[\u0027children\u0027])\n\n\n@hooks.register(\u0027register_rich_text_features\u0027, order=1)\ndef register_link(features):\n    features.register_converter_rule(\u0027contentstate\u0027, \u0027link\u0027, {\n        \u0027from_database_format\u0027: {\n            \u0027a[href]\u0027: ExternalLinkElementHandler(\u0027LINK\u0027),\n            \u0027a[linktype=\"page\"]\u0027: PageLinkElementHandler(\u0027LINK\u0027),\n        },\n        \u0027to_database_format\u0027: {\n            \u0027entity_decorators\u0027: {\u0027LINK\u0027: link_entity}\n        }\n    })\n```\n\n### Acknowledgements\nMany thanks to Kevin Breen for reporting this issue.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Visit Wagtail\u0027s [support channels](https://docs.wagtail.io/en/stable/support.html)\n* Email us at security@wagtail.io (if you wish to send encrypted email, the public key ID is `0x6ba1e1a86e0f8ce8`)",
  "id": "GHSA-wq5h-f9p5-q7fx",
  "modified": "2024-11-19T16:02:32Z",
  "published": "2021-04-20T14:02:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29434"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-114.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wagtail/wagtail"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/compare/v2.11.6...v2.11.7"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/wagtail"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper validation of URLs (\u0027Cross-site Scripting\u0027) in Wagtail rich text fields"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-29434 (GCVE-0-2021-29434)

FKIE_CVE-2021-29434

PYSEC-2021-114

GSD-2021-29434

GHSA-WQ5H-F9P5-Q7FX

Impact

Patches

Workarounds

Acknowledgements

For more information

Tags

Sightings

Nomenclature