{ "schema_version": "1.4.0", "id": "GHSA-wq5h-f9p5-q7fx", "modified": "2024-11-19T16:02:32Z", "published": "2021-04-20T14:02:30Z", "aliases": [ "CVE-2021-29434" ], "summary": "Improper validation of URLs ('Cross-site Scripting') in Wagtail rich text fields", "details": "### Impact\nWhen saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.\n\n### Patches\nPatched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).\n\n### Workarounds\nFor sites that cannot easily upgrade to a current supported version, the vulnerability can be patched by adding the following code to a `wagtail_hooks.py` module in any installed app:\n\n```python\nfrom draftjs_exporter.dom import DOM\nfrom wagtail.admin.rich_text.converters.html_to_contentstate import ExternalLinkElementHandler, PageLinkElementHandler\nfrom wagtail.core import hooks\nfrom wagtail.core.whitelist import check_url\n\n\ndef link_entity(props):\n id_ = props.get('id')\n link_props = {}\n\n if id_ is not None:\n link_props['linktype'] = 'page'\n link_props['id'] = id_\n else:\n link_props['href'] = check_url(props.get('url'))\n\n return DOM.create_element('a', link_props, props['children'])\n\n\n@hooks.register('register_rich_text_features', order=1)\ndef register_link(features):\n features.register_converter_rule('contentstate', 'link', {\n 'from_database_format': {\n 'a[href]': ExternalLinkElementHandler('LINK'),\n 'a[linktype=\"page\"]': PageLinkElementHandler('LINK'),\n },\n 'to_database_format': {\n 'entity_decorators': {'LINK': link_entity}\n }\n })\n```\n\n### Acknowledgements\nMany thanks to Kevin Breen for reporting this issue.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Visit Wagtail's [support channels](https://docs.wagtail.io/en/stable/support.html)\n* Email us at security@wagtail.io (if you wish to send encrypted email, the public key ID is `0x6ba1e1a86e0f8ce8`)", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "wagtail" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.11.7" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 2.11.6" } }, { "package": { "ecosystem": "PyPI", "name": "wagtail" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.12" }, { "fixed": "2.12.4" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 2.12.3" } } ], "references": [ { "type": "WEB", "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29434" }, { "type": "WEB", "url": "https://github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4" }, { "type": "WEB", "url": "https://github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-114.yaml" }, { "type": "PACKAGE", "url": "https://github.com/wagtail/wagtail" }, { "type": "WEB", "url": "https://github.com/wagtail/wagtail/compare/v2.11.6...v2.11.7" }, { "type": "WEB", "url": "https://pypi.org/project/wagtail" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-04-19T18:46:26Z", "nvd_published_at": "2021-04-19T19:15:00Z" } }