NVD

NOTICE UPDATE

NIST has updated the NVD program announcement page with additional information regarding recent concerns and the temporary delays in enrichment efforts.

CVE-2020-15118 Detail

Description

In Wagtail before versions 2.7.4 and 2.9.3, when a form page type is made available to Wagtail editors through the `wagtail.contrib.forms` app, and the page template is built using Django's standard form rendering helpers such as form.as_p, any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.4 (for the LTS 2.7 branch) and Wagtail 2.9.3 (for the current 2.9 branch). In these versions, help text will be escaped to prevent the inclusion of HTML tags. Site owners who wish to re-enable the use of HTML within help text (and are willing to accept the risk of this being exploited by editors) may set WAGTAILFORMS_HELP_TEXT_ALLOW_HTML = True in their configuration settings. Site owners who are unable to upgrade to the new versions can secure their form page templates by rendering forms field-by-field as per Django's documentation, but omitting the |safe filter when outputting the help text.

Severity

CVSS 3.x Severity and Metrics:

NIST: NVD

Base Score: 5.4 MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Nist CVSS score does not match with CNA score

CNA: GitHub, Inc.

Base Score: 5.7 MEDIUM

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: It is possible that the NVD CVSS may not match that of the CNA. The most common reason for this is that publicly available information does not provide sufficient detail or that information simply was not available at the time the CVSS vector string was assigned.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://docs.djangoproject.com/en/3.0/ref/models/fields/#django.db.models.Field.help_text	Third Party Advisory
https://docs.wagtail.io/en/stable/reference/contrib/forms/index.html#usage	Vendor Advisory
https://github.com/wagtail/wagtail/blob/master/docs/releases/2.9.3.rst	Release Notes Third Party Advisory
https://github.com/wagtail/wagtail/commit/d9a41e7f24d08c024acc9a3094940199df94db34	Patch Third Party Advisory
https://github.com/wagtail/wagtail/security/advisories/GHSA-2473-9hgq-j7xw	Third Party Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	NIST GitHub, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 7/28/2020 8:29:45 AM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR cpe:2.3:a:torchbox:wagtail::::::::* versions from (including) 2.7 up to (excluding) 2.7.4 cpe:2.3:a:torchbox:wagtail::::::::* versions from (including) 2.9 up to (excluding) 2.9.3
Added	CVSS V2		NIST (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Added	CVSS V2 Metadata		Victim must voluntarily interact with attack mechanism
Added	CVSS V3.1		NIST AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Added	CWE		NIST CWE-79
Changed	Reference Type	https://docs.djangoproject.com/en/3.0/ref/models/fields/#django.db.models.Field.help_text No Types Assigned	https://docs.djangoproject.com/en/3.0/ref/models/fields/#django.db.models.Field.help_text Third Party Advisory
Changed	Reference Type	https://docs.wagtail.io/en/stable/reference/contrib/forms/index.html#usage No Types Assigned	https://docs.wagtail.io/en/stable/reference/contrib/forms/index.html#usage Vendor Advisory
Changed	Reference Type	https://github.com/wagtail/wagtail/blob/master/docs/releases/2.9.3.rst No Types Assigned	https://github.com/wagtail/wagtail/blob/master/docs/releases/2.9.3.rst Release Notes, Third Party Advisory
Changed	Reference Type	https://github.com/wagtail/wagtail/commit/d9a41e7f24d08c024acc9a3094940199df94db34 No Types Assigned	https://github.com/wagtail/wagtail/commit/d9a41e7f24d08c024acc9a3094940199df94db34 Patch, Third Party Advisory
Changed	Reference Type	https://github.com/wagtail/wagtail/security/advisories/GHSA-2473-9hgq-j7xw No Types Assigned	https://github.com/wagtail/wagtail/security/advisories/GHSA-2473-9hgq-j7xw Third Party Advisory

Quick Info

CVE Dictionary Entry:
CVE-2020-15118
NVD Published Date:
07/20/2020
NVD Last Modified:
07/28/2020
Source:
GitHub, Inc.

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database