cvelistv5 - cve-2021-32681

URL	Tags
security-advisories@github.com	https://github.com/wagtail/wagtail/releases/tag/v2.11.8	Exploit, Third Party Advisory
security-advisories@github.com	https://github.com/wagtail/wagtail/releases/tag/v2.12.5	Exploit, Third Party Advisory
security-advisories@github.com	https://github.com/wagtail/wagtail/releases/tag/v2.13.2	Exploit, Third Party Advisory
security-advisories@github.com	https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf	Mitigation, Third Party Advisory

pysec-2021-103

Vulnerability from pysec

Published

2021-06-17 17:15

Modified

2021-06-22 04:54

Details

Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the {% include_block %} template tag is used to output the value of a plain-text StreamField block (CharBlock, TextBlock or a similar user-defined block derived from FieldBlock), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with 'editor' access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of {% include_block %} to ensure it is not used to output CharBlock / TextBlock values with no associated template. Note that this only applies where {% include_block %} is used directly on that block (uses of include_block on a block containing a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django's {{ ... }} syntax - e.g. {% include_block my_title_block %} becomes {{ my_title_block }}.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail",
        "purl": "pkg:pypi/wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.13"
            },
            {
              "fixed": "2.13.2"
            },
            {
              "introduced": "2.12"
            },
            {
              "fixed": "2.12.5"
            },
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1",
        "0.2",
        "0.3",
        "0.3.1",
        "0.4",
        "0.4.1",
        "0.5",
        "0.6",
        "0.7",
        "0.8",
        "0.8.1",
        "0.8.10",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.8.5",
        "0.8.6",
        "0.8.7",
        "0.8.8",
        "0.8.9",
        "1.0",
        "1.0b1",
        "1.0b2",
        "1.0rc1",
        "1.0rc2",
        "1.1",
        "1.10",
        "1.10.1",
        "1.10rc1",
        "1.11",
        "1.11.1",
        "1.11rc1",
        "1.12",
        "1.12.1",
        "1.12.2",
        "1.12.3",
        "1.12.4",
        "1.12.5",
        "1.12.6",
        "1.12rc1",
        "1.13",
        "1.13.1",
        "1.13.2",
        "1.13.3",
        "1.13.4",
        "1.13rc1",
        "1.1rc1",
        "1.2",
        "1.2rc1",
        "1.3",
        "1.3.1",
        "1.3rc1",
        "1.4",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4rc1",
        "1.5",
        "1.5.1",
        "1.5.2",
        "1.5.3",
        "1.5rc1",
        "1.6",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6rc1",
        "1.7",
        "1.7rc1",
        "1.8",
        "1.8.1",
        "1.8.2",
        "1.8rc1",
        "1.9",
        "1.9.1",
        "1.9rc1",
        "2.0",
        "2.0.1",
        "2.0.2",
        "2.0b1",
        "2.0rc1",
        "2.1",
        "2.1.1",
        "2.1.2",
        "2.1.3",
        "2.10",
        "2.10.1",
        "2.10.2",
        "2.10rc1",
        "2.10rc2",
        "2.11",
        "2.11.1",
        "2.11.2",
        "2.11.3",
        "2.11.4",
        "2.11.5",
        "2.11.6",
        "2.11.7",
        "2.11rc1",
        "2.12",
        "2.12.1",
        "2.12.2",
        "2.12.3",
        "2.12.4",
        "2.13",
        "2.13.1",
        "2.1rc1",
        "2.1rc2",
        "2.2",
        "2.2.1",
        "2.2.2",
        "2.2rc1",
        "2.2rc2",
        "2.3",
        "2.3rc1",
        "2.3rc2",
        "2.4",
        "2.4rc1",
        "2.5",
        "2.5.1",
        "2.5.2",
        "2.5rc1",
        "2.6",
        "2.6.1",
        "2.6.2",
        "2.6.3",
        "2.6rc1",
        "2.7",
        "2.7.1",
        "2.7.2",
        "2.7.3",
        "2.7.4",
        "2.7rc1",
        "2.7rc2",
        "2.8",
        "2.8.1",
        "2.8.2",
        "2.8rc1",
        "2.9",
        "2.9.1",
        "2.9.2",
        "2.9.3",
        "2.9rc1"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32681",
    "GHSA-xfrw-hxr5-ghqf"
  ],
  "details": "Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with \u0027editor\u0027 access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django\u0027s `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.",
  "id": "PYSEC-2021-103",
  "modified": "2021-06-22T04:54:57.540693Z",
  "published": "2021-06-17T17:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/releases/tag/v2.11.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/releases/tag/v2.12.5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/releases/tag/v2.13.2"
    }
  ]
}

gsd-2021-32681

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with 'editor' access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django's `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.

Aliases

CVE-2021-32681

Aliases

CVE-2021-32681

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-32681",
    "description": "Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with \u0027editor\u0027 access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django\u0027s `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.",
    "id": "GSD-2021-32681"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-32681"
      ],
      "details": "Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with \u0027editor\u0027 access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django\u0027s `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.",
      "id": "GSD-2021-32681",
      "modified": "2023-12-13T01:23:08.809737Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-32681",
        "STATE": "PUBLIC",
        "TITLE": "Improper escaping of HTML (\u0027Cross-site Scripting\u0027) in Wagtail StreamField blocks"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "wagtail",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 2.11.8"
                        },
                        {
                          "version_value": "\u003e= 2.12, \u003c= 2.12.4"
                        },
                        {
                          "version_value": "\u003e= 2.13, \u003c= 2.13.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "wagtail"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with \u0027editor\u0027 access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django\u0027s `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf",
            "refsource": "CONFIRM",
            "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf"
          },
          {
            "name": "https://github.com/wagtail/wagtail/releases/tag/v2.11.8",
            "refsource": "MISC",
            "url": "https://github.com/wagtail/wagtail/releases/tag/v2.11.8"
          },
          {
            "name": "https://github.com/wagtail/wagtail/releases/tag/v2.12.5",
            "refsource": "MISC",
            "url": "https://github.com/wagtail/wagtail/releases/tag/v2.12.5"
          },
          {
            "name": "https://github.com/wagtail/wagtail/releases/tag/v2.13.2",
            "refsource": "MISC",
            "url": "https://github.com/wagtail/wagtail/releases/tag/v2.13.2"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-xfrw-hxr5-ghqf",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.11.8||\u003e=2.12,\u003c=2.12.4||\u003e=2.13,\u003c=2.13.1",
          "affected_versions": "All versions before 2.11.8, all versions starting from 2.12 up to 2.12.4, all versions starting from 2.13 up to 2.13.1",
          "cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2021-06-23",
          "description": "A XSS vulnerability exists in Wagtail, an open source content management system built on Django.",
          "fixed_versions": [
            "2.11.8",
            "2.12.5",
            "2.13.2"
          ],
          "identifier": "CVE-2021-32681",
          "identifiers": [
            "CVE-2021-32681",
            "GHSA-xfrw-hxr5-ghqf"
          ],
          "not_impacted": "All versions starting from 2.11.8 before 2.12, all versions after 2.12.4 before 2.13, all versions after 2.13.1",
          "package_slug": "pypi/wagtail",
          "pubdate": "2021-06-17",
          "solution": "Upgrade to versions 2.11.8, 2.12.5, 2.13.2 or above.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-32681"
          ],
          "uuid": "1d1dd66b-edf8-4f68-9d8a-039d32486855"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.11.8",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.12.4",
                "versionStartIncluding": "2.12",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.13.1",
                "versionStartIncluding": "2.13",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32681"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with \u0027editor\u0027 access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django\u0027s `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/wagtail/wagtail/releases/tag/v2.11.8",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/wagtail/wagtail/releases/tag/v2.11.8"
            },
            {
              "name": "https://github.com/wagtail/wagtail/releases/tag/v2.12.5",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/wagtail/wagtail/releases/tag/v2.12.5"
            },
            {
              "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf",
              "refsource": "CONFIRM",
              "tags": [
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf"
            },
            {
              "name": "https://github.com/wagtail/wagtail/releases/tag/v2.13.2",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/wagtail/wagtail/releases/tag/v2.13.2"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2021-06-23T12:28Z",
      "publishedDate": "2021-06-17T17:15Z"
    }
  }
}

ghsa-xfrw-hxr5-ghqf

Vulnerability from github

Published

2021-06-17 20:10

Modified

2024-11-19 16:03

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Cross-site Scripting in wagtail

Details

Impact

When the {% include_block %} template tag is used to output the value of a plain-text StreamField block (CharBlock, TextBlock or a similar user-defined block derived from FieldBlock), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with 'editor' access to the Wagtail admin).

Patches

Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch).

Site implementors who wish to retain the existing behaviour of allowing editors to insert HTML content in these blocks (and are willing to accept the risk of untrusted editors inserting arbitrary code) may disable the escaping by surrounding the relevant {% include_block %} tag in {% autoescape off %}...{% endautoescape %}.

Workarounds

Site implementors who are unable to upgrade to a current supported version should audit their use of {% include_block %} to ensure it is not used to output CharBlock / TextBlock values with no associated template. Note that this only applies where {% include_block %} is used directly on that block (uses of include_block on a block containing a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django's {{ ... }} syntax - e.g. {% include_block my_title_block %} becomes {{ my_title_block }}.

Acknowledgements

Many thanks to Karen Tracey for reporting this issue.

For more information

If you have any questions or comments about this advisory:

Visit Wagtail's support channels
Email us at security@wagtail.io (if you wish to send encrypted email, the public key ID is 0x6ba1e1a86e0f8ce8)

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12"
            },
            {
              "fixed": "2.12.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.13"
            },
            {
              "fixed": "2.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32681"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-17T18:56:56Z",
    "nvd_published_at": "2021-06-17T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with \u0027editor\u0027 access to the Wagtail admin).\n\n### Patches\nPatched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch).\n\nSite implementors who wish to retain the existing behaviour of allowing editors to insert HTML content in these blocks (and are willing to accept the risk of untrusted editors inserting arbitrary code) may disable the escaping by surrounding the relevant `{% include_block %}` tag in `{% autoescape off %}...{% endautoescape %}`.\n\n### Workarounds\nSite implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django\u0027s `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.\n\n### Acknowledgements\nMany thanks to Karen Tracey for reporting this issue.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Visit Wagtail\u0027s [support channels](https://docs.wagtail.io/en/stable/support.html)\n* Email us at security@wagtail.io (if you wish to send encrypted email, the public key ID is `0x6ba1e1a86e0f8ce8`)\n",
  "id": "GHSA-xfrw-hxr5-ghqf",
  "modified": "2024-11-19T16:03:13Z",
  "published": "2021-06-17T20:10:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32681"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-103.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wagtail/wagtail"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/releases/tag/v2.11.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/releases/tag/v2.12.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/releases/tag/v2.13.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cross-site Scripting in wagtail"
}

cve-2021-32681

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

cve-2021-32681

Vulnerability from cvelistv5

pysec-2021-103

Vulnerability from pysec

gsd-2021-32681

Vulnerability from gsd

ghsa-xfrw-hxr5-ghqf

Vulnerability from github

Impact

Patches

Workarounds

Acknowledgements

For more information

Tags

Sightings

Nomenclature