Vlad Gerasimenko

**Name of the Vulnerable Software and Affected Versions** Wagtail versions prior to 2.7.2 and prior to 2.8.1 **Description** A cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. **Recommendations** For versions prior to 2.7.2, update to Wagtail 2.7.2. For versions prior to 2.8.1, update to Wagtail 2.8.1. As a temporary workaround, site owners who are unable to upgrade to the new versions can disable the revision comparison view by adding a URL route to the top of their project's `urls.py` configuration to redirect the revision comparison view to the admin dashboard.