{"id":"PYSEC-2021-114","details":"Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).","aliases":["CVE-2021-29434","GHSA-wq5h-f9p5-q7fx"],"modified":"2023-11-08T04:05:33.896694Z","published":"2021-04-19T19:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"},{"type":"PACKAGE","url":"https://pypi.org/project/wagtail/"}],"affected":[{"package":{"name":"wagtail","ecosystem":"PyPI","purl":"pkg:pypi/wagtail"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.11"},{"fixed":"2.11.7"},{"introduced":"0"},{"fixed":"2.11.6"},{"introduced":"2.12"},{"fixed":"2.12.4"}]}],"versions":["0.1","0.2","0.3","0.3.1","0.4","0.4.1","0.5","0.6","0.7","0.8","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.8.6","0.8.7","0.8.8","0.8.9","0.8.10","1.0b1","1.0b2","1.0rc1","1.0rc2","1.0","1.1rc1","1.1","1.2rc1","1.2","1.3rc1","1.3","1.3.1","1.4rc1","1.4","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.5rc1","1.5","1.5.1","1.5.2","1.5.3","1.6rc1","1.6","1.6.1","1.6.2","1.6.3","1.7rc1","1.7","1.8rc1","1.8","1.8.1","1.8.2","1.9rc1","1.9","1.9.1","1.10rc1","1.10","1.10.1","1.11rc1","1.11","1.11.1","1.12rc1","1.12","1.12.1","1.12.2","1.12.3","1.12.4","1.12.5","1.12.6","1.13rc1","1.13","1.13.1","1.13.2","1.13.3","1.13.4","2.0b1","2.0rc1","2.0","2.0.1","2.0.2","2.1rc1","2.1rc2","2.1","2.1.1","2.1.2","2.1.3","2.2rc1","2.2rc2","2.2","2.2.1","2.2.2","2.3rc1","2.3rc2","2.3","2.4rc1","2.4","2.5rc1","2.5","2.5.1","2.5.2","2.6rc1","2.6","2.6.1","2.6.2","2.6.3","2.7rc1","2.7rc2","2.7","2.7.1","2.7.2","2.7.3","2.7.4","2.8rc1","2.8","2.8.1","2.8.2","2.9rc1","2.9","2.9.1","2.9.2","2.9.3","2.10rc1","2.10rc2","2.10","2.10.1","2.10.2","2.11rc1","2.11","2.11.1","2.11.2","2.11.3","2.11.4","2.11.5","2.11.6","2.12","2.12.1","2.12.2","2.12.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2021-114.yaml"}}],"schema_version":"1.7.3"}