CVE-2021-29434
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-29434
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29434.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-29434
- Aliases
- Related
- Published
- 2021-04-19T19:15:17Z
- Modified
- 2025-02-19T03:18:25.725254Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with
javascript:URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch). - References