Skip to main content

Wagtail CVE-2020-11001

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2020-04-14 security-advisories@github.com
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 14, 2020 - 23:15 nvd
MEDIUM 6.8

DescriptionNVD

In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).

AnalysisAI

In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch). Affected products include: Torchbox Wagtail.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2021-32681 MEDIUM POC
5.4 Jun 17

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 5.4), this vulnerabilit

CVE-2026-54263 HIGH
7.3 Jul 01

Reflected cross-site scripting in the Wagtail Django CMS admin interface lets a low-privilege editor craft a malicious U

CVE-2024-39317 MEDIUM
6.5 Jul 11

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 6.5), this vulnerabilit

CVE-2026-54261 MEDIUM
6.5 Jul 01

Missing authorization on the image preview endpoint in Wagtail CMS allows any authenticated admin-panel user to render p

CVE-2026-28222 MEDIUM
6.1 Mar 05

Stored XSS in Wagtail's TableBlock allows authenticated users with page editing permissions to inject malicious class at

CVE-2026-28223 MEDIUM
6.1 Mar 05

Stored XSS in Wagtail's simple_translation module allows authenticated admin users to inject malicious JavaScript throug

CVE-2023-28836 MEDIUM
5.4 Apr 03

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 5.4), this vulnerabilit

CVE-2020-15118 MEDIUM
5.4 Jul 20

In Wagtail before versions 2.7.4 and 2.9.3, when a form page type is made available to Wagtail editors through the `wagt

CVE-2023-28837 MEDIUM
4.9 Apr 03

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 4.9), this vulnerabilit

CVE-2021-29434 MEDIUM
4.8 Apr 19

Wagtail is a Django content management system. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploita

CVE-2020-11037 MEDIUM
4.7 Apr 30

In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protec

CVE-2026-54262 MEDIUM
4.3 Jul 01

Authorization bypass in Wagtail CMS allows authenticated low-privilege users to create translations for pages beyond the

Share

CVE-2020-11001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy