CVE-2020-11001

Name of the Vulnerable Software and Affected Versions Wagtail versions prior to 2.7.2 and prior to 2.8.1

Description A cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Recommendations For versions prior to 2.7.2, update to Wagtail 2.7.2. For versions prior to 2.8.1, update to Wagtail 2.8.1. As a temporary workaround, site owners who are unable to upgrade to the new versions can disable the revision comparison view by adding a URL route to the top of their project's urls.py configuration to redirect the revision comparison view to the admin dashboard.