CVE-2021-32681: Cross-site Scripting in wagtail
(updated )
When the {% include_block %} template tag is used to output the value of a plain-text StreamField block (CharBlock, TextBlock or a similar user-defined block derived from FieldBlock), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with ’editor’ access to the Wagtail admin).
References
- github.com/advisories/GHSA-xfrw-hxr5-ghqf
- github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-103.yaml
- github.com/wagtail/wagtail
- github.com/wagtail/wagtail/releases/tag/v2.11.8
- github.com/wagtail/wagtail/releases/tag/v2.12.5
- github.com/wagtail/wagtail/releases/tag/v2.13.2
- github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf
- nvd.nist.gov/vuln/detail/CVE-2021-32681
Code Behaviors & Features
Detect and mitigate CVE-2021-32681 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →