CVE-2021-32681

Name of the Vulnerable Software and Affected Versions Wagtail versions 2.13 through 2.13.1 Wagtail versions 2.12 through 2.12.4 Wagtail versions prior to 2.11.8

Description A cross-site scripting issue exists when the {% include block %} template tag is used to output the value of a plain-text StreamField block, such as CharBlock or TextBlock, without a specified template for rendering. This could allow users to insert arbitrary HTML or scripting, but it is only exploitable by users with 'editor' access to the Wagtail admin.

Recommendations For Wagtail versions 2.13 through 2.13.1, update to version 2.13.2. For Wagtail versions 2.12 through 2.12.4, update to version 2.12.5. For Wagtail versions prior to 2.11.8, update to version 2.11.8. As a temporary workaround for sites unable to upgrade, audit the use of {% include block %} to ensure it is not used to output CharBlock / TextBlock values with no associated template, and consider replacing the tag with Django's {{ ... }} syntax.