Home Esplora Aiuto
Accedi
CityApper
/
wagtail
mirror da https://github.com/wagtail/wagtail
2
0
Forka 0
File Problemi 0 Wiki
Sfoglia il codice sorgente

Release note for CVE-2021-29434 in 2.12.4

Matt Westcott 4 anni fa
parent
57ccd4a86c
commit
a44312f48f
3 ha cambiato i file con 10 aggiunte e 0 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 1 0
      CHANGELOG.txt
  2. 1 0
      CONTRIBUTORS.rst
  3. 8 0
      docs/releases/2.12.4.rst

+ 1 - 0
CHANGELOG.txt
Vedi File 

@@ -40,6 +40,7 @@ Changelog
 
 2.12.4 (xx.xx.xxxx)
 
 ~~~~~~~~~~~~~~~~~~~
 
 
+ * Fix: CVE-2021-29434 - fix improper validation of URLs ('Cross-site Scripting') in rich text fields (Kevin Breen, Matt Westcott)
 
  * Fix: Reverse migration errors in images and documents (Mike Brown)
 
  * Fix: Avoid wagtailembeds migration failure on MySQL 8.0.13+ (Matt Westcott)

+ 1 - 0
CONTRIBUTORS.rst
Vedi File 

@@ -504,6 +504,7 @@ Contributors
 
 * Susan Dreher
 
 * Dale Evans
 
 * Vlad Podgurschi
 
+* Kevin Breen
 
 
 Translators
 
 ===========

+ 8 - 0
docs/releases/2.12.4.rst
Vedi File 

@@ -10,6 +10,14 @@ Wagtail 2.12.4 release notes - IN DEVELOPMENT
 
 What's new
 
 ==========
 
 
+CVE-2021-29434: Improper validation of URLs ('Cross-site Scripting') in rich text fields
 
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+
 
+This release addresses a cross-site scripting (XSS) vulnerability in rich text fields. When saving the contents of a rich text field in the admin interface, Wagtail did not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
 
+
 
+Many thanks to Kevin Breen for reporting this issue.
 
+
 
+
 
 Bug fixes
 
 ~~~~~~~~~