Wagtail
CVE-2020-11001
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).
AnalysisAI
In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch). Affected products include: Torchbox Wagtail.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 5.4), this vulnerabilit
Reflected cross-site scripting in the Wagtail Django CMS admin interface lets a low-privilege editor craft a malicious U
Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 6.5), this vulnerabilit
Missing authorization on the image preview endpoint in Wagtail CMS allows any authenticated admin-panel user to render p
Stored XSS in Wagtail's TableBlock allows authenticated users with page editing permissions to inject malicious class at
Stored XSS in Wagtail's simple_translation module allows authenticated admin users to inject malicious JavaScript throug
Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 5.4), this vulnerabilit
In Wagtail before versions 2.7.4 and 2.9.3, when a form page type is made available to Wagtail editors through the `wagt
Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 4.9), this vulnerabilit
Wagtail is a Django content management system. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploita
In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protec
Authorization bypass in Wagtail CMS allows authenticated low-privilege users to create translations for pages beyond the
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today