CVE-2020-11001

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-11001

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-11001.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-11001

Aliases

Related

GHSA-v2wc-pfq2-5cm6

Published

2020-04-14T23:15:11Z

Modified

2025-01-08T10:26:47.304582Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).

References

Affected packages

Git / github.com/wagtail/wagtail

Affected ranges

Type: GIT
Repo: https://github.com/wagtail/wagtail
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

61045ceefea114c40ac4b680af58990dbe732389

Affected versions

v0.*

v0.1

v0.2

v0.3

v0.3.1

v0.4

v0.5

v0.6

v0.7

v0.8

v0.8.1

v1.*

v1.0b1

v1.0b2

v1.0rc1

v1.10rc1

v1.1rc1

v1.2rc1

v1.3rc1

v1.4rc1

v1.5rc1

v1.6rc1

v1.8rc1

v2.*

v2.0b1

v2.1rc1

v2.2rc1

v2.8

v2.8rc1