CVE-2021-29434

Name of the Vulnerable Software and Affected Versions: Wagtail versions prior to 2.11.7 Wagtail versions prior to 2.12.4

Description: In affected versions of Wagtail, a Django content management system, the software does not apply server-side checks to ensure that link URLs use a valid protocol when saving the contents of a rich text field in the admin interface. A malicious user with access to the admin interface could craft a POST request to publish content with javascript: URLs containing arbitrary code. The issue is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Recommendations: For versions prior to 2.11.7, update to Wagtail 2.11.7 or later. For versions prior to 2.12.4, update to Wagtail 2.12.4 or later. As a temporary workaround for sites that cannot easily upgrade, add the provided code to a wagtail hooks.py module in any installed app to patch the vulnerability.