Vulnerability Description
In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Torchbox | Wagtail | >= 1.9, <= 2.7.1 |
Related Weaknesses (CWE)
References
- https://github.com/wagtail/wagtail/security/advisories/GHSA-v2wc-pfq2-5cm6ExploitThird Party Advisory
- https://github.com/wagtail/wagtail/commit/61045ceefea114c40ac4b680af58990dbe7323
- https://github.com/wagtail/wagtail/releases/tag/v2.8.1
- https://github.com/wagtail/wagtail/security/advisories/GHSA-v2wc-pfq2-5cm6ExploitThird Party Advisory
FAQ
What is CVE-2020-11001?
CVE-2020-11001 is a vulnerability with a CVSS score of 5.8 (MEDIUM). In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission ...
How severe is CVE-2020-11001?
CVE-2020-11001 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11001?
Check the references section above for vendor advisories and patch information. Affected products include: Torchbox Wagtail.