CVE-2021-29434 MEDIUM

CVE-2021-29434: Improper validation of URLs ('Cross-site Scripting') in Wagtail rich text fields

Vendor Wagtail
Product wagtail
Weakness CWE-79 · XSS
Published April 19, 2021
Last update August 3, 2024

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).

Key dates

02Disclosure timeline

April 19, 2021 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE