VYPR
High severityNVD Advisory· Published Apr 19, 2021· Updated Aug 3, 2024

Improper validation of URLs ('Cross-site Scripting') in Wagtail rich text fields

CVE-2021-29434

Description

Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
wagtailPyPI
< 2.11.72.11.7
wagtailPyPI
>= 2.12, < 2.12.42.12.4

Affected products

2

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.