CVE-2020-11001

MEDIUM5.8EPSS 0.36%

Possible XSS attack in Wagtail

發布日:2020/4/14修改日:2026/3/13

描述

### Impact A cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. ### Patches Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch). ### Workarounds Site owners who are unable to upgrade to the new versions can disable the revision comparison view by adding the following URL route to the top of their project's `urls.py` configuration: from django.views.generic.base import RedirectView urlpatterns = [ url(r'^admin/pages/(\d+)/revisions/compare/', RedirectView.as_view(url='/admin/')), # ... ] ### Acknowledgements Many thanks to Vlad Gerasimenko for reporting this issue. ### For more information If you have any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.io/en/stable/support.html) * Email us at [[email protected]](mailto:[email protected]) (if you wish to send encrypted email, the public key ID is `0x6ba1e1a86e0f8ce8`)

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
osvCVSS 3.1MEDIUM5.8CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

參考連結(5)