CVE-2021-29434
MEDIUM6.1EPSS 0.27%Improper validation of URLs ('Cross-site Scripting') in Wagtail rich text fields
描述
### Impact When saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. ### Patches Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch). ### Workarounds For sites that cannot easily upgrade to a current supported version, the vulnerability can be patched by adding the following code to a `wagtail_hooks.py` module in any installed app: ```python from draftjs_exporter.dom import DOM from wagtail.admin.rich_text.converters.html_to_contentstate import ExternalLinkElementHandler, PageLinkElementHandler from wagtail.core import hooks from wagtail.core.whitelist import check_url def link_entity(props): id_ = props.get('id') link_props = {} if id_ is not None: link_props['linktype'] = 'page' link_props['id'] = id_ else: link_props['href'] = check_url(props.get('url')) return DOM.create_element('a', link_props, props['children']) @hooks.register('register_rich_text_features', order=1) def register_link(features): features.register_converter_rule('contentstate', 'link', { 'from_database_format': { 'a[href]': ExternalLinkElementHandler('LINK'), 'a[linktype="page"]': PageLinkElementHandler('LINK'), }, 'to_database_format': { 'entity_decorators': {'LINK': link_entity} } }) ``` ### Acknowledgements Many thanks to Kevin Breen for reporting this issue. ### For more information If you have any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.io/en/stable/support.html) * Email us at [email protected] (if you wish to send encrypted email, the public key ID is `0x6ba1e1a86e0f8ce8`)
受影響套件(2)
- PyPI/wagtailfrom 0, < 2.11.7
- PyPI/wagtail>= 2.11, < 2.11.7, from 0, < 2.11.6, >= 2.12, < 2.12.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-29434
- PATCHhttps://github.com/wagtail/wagtail
- PATCHhttps://pypi.org/project/wagtail/
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-114.yaml
- WEBhttps://github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4
- WEBhttps://github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c
- WEBhttps://github.com/wagtail/wagtail/compare/v2.11.6...v2.11.7
- WEBhttps://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx
- WEBhttps://pypi.org/project/wagtail