GitHub_MCVELIST:CVE-2020-11001CVE-2020-11001 Possible XSS attack in Wagtail
5.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
6.4 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.3%
In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user’s credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).
CNA Affected
[
{
"product": "wagtail",
"vendor": "wagtail",
"versions": [
{
"status": "affected",
"version": ">=1.9.0, < 2.7.2"
},
{
"status": "affected",
"version": ">= 2.8.0, < 2.8.1"
}
]
}
]Related
5.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
6.4 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.3%