Vulnerability Details CVE-2020-11001
In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision
comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail
admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform
actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to
the Wagtail admin.
Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 60.0%
CVSS Severity
CVSS v3 Score 5.8
CVSS v2 Score 3.5
References
Products affected by CVE-2020-11001
-
cpe:2.3:a:torchbox:wagtail:1.10
-
cpe:2.3:a:torchbox:wagtail:1.10.1
-
cpe:2.3:a:torchbox:wagtail:1.11
-
cpe:2.3:a:torchbox:wagtail:1.11.1
-
cpe:2.3:a:torchbox:wagtail:1.12
-
cpe:2.3:a:torchbox:wagtail:1.12.1
-
cpe:2.3:a:torchbox:wagtail:1.12.2
-
cpe:2.3:a:torchbox:wagtail:1.12.3
-
cpe:2.3:a:torchbox:wagtail:1.12.4
-
cpe:2.3:a:torchbox:wagtail:1.12.5
-
cpe:2.3:a:torchbox:wagtail:1.12.6
-
cpe:2.3:a:torchbox:wagtail:1.13
-
cpe:2.3:a:torchbox:wagtail:1.13.1
-
cpe:2.3:a:torchbox:wagtail:1.13.2
-
cpe:2.3:a:torchbox:wagtail:1.13.3
-
cpe:2.3:a:torchbox:wagtail:1.13.4
-
cpe:2.3:a:torchbox:wagtail:1.9
-
cpe:2.3:a:torchbox:wagtail:1.9.1
-
cpe:2.3:a:torchbox:wagtail:2.0
-
cpe:2.3:a:torchbox:wagtail:2.0.1
-
cpe:2.3:a:torchbox:wagtail:2.0.2
-
cpe:2.3:a:torchbox:wagtail:2.1
-
cpe:2.3:a:torchbox:wagtail:2.1.1
-
cpe:2.3:a:torchbox:wagtail:2.1.2
-
cpe:2.3:a:torchbox:wagtail:2.1.3
-
cpe:2.3:a:torchbox:wagtail:2.2
-
cpe:2.3:a:torchbox:wagtail:2.2.1
-
cpe:2.3:a:torchbox:wagtail:2.2.2
-
cpe:2.3:a:torchbox:wagtail:2.3
-
cpe:2.3:a:torchbox:wagtail:2.4
-
cpe:2.3:a:torchbox:wagtail:2.5
-
cpe:2.3:a:torchbox:wagtail:2.5.1
-
cpe:2.3:a:torchbox:wagtail:2.5.2
-
cpe:2.3:a:torchbox:wagtail:2.6
-
cpe:2.3:a:torchbox:wagtail:2.6.1
-
cpe:2.3:a:torchbox:wagtail:2.6.2
-
cpe:2.3:a:torchbox:wagtail:2.6.3
-
cpe:2.3:a:torchbox:wagtail:2.7
-
cpe:2.3:a:torchbox:wagtail:2.7.1
-
cpe:2.3:a:torchbox:wagtail:2.8