wagtail 5.0.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the wagtail package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `TableBlock` class attributes. A user with access to create or edit pages containing `TableBlock` StreamField blocks in the admin interface can execute arbitrary JavaScript code in the context of a higher-privileged user by crafting malicious class attributes, which are rendered when the page is viewed by an authenticated user with sufficient privileges. How to fix Cross-site Scripting (XSS)? Upgrade `wagtail` to version 6.3.8, 7.0.6, 7.2.3, 7.3.1 or higher.	[,6.3.8)[6.4rc1,7.0.6)[7.1rc1,7.2.3)[7.3rc1,7.3.1)
M Cross-site Scripting (XSS) wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `wagtail.contrib.simple_translation` module. A user with access to the admin area can execute arbitrary JavaScript code in the context of another user's session by creating a specially-crafted page title and having another authenticated user perform the "Translate" action in the admin interface. This may allow the attacker to perform actions with the victim's credentials. How to fix Cross-site Scripting (XSS)? Upgrade `wagtail` to version 6.3.8, 7.0.6, 7.2.3, 7.3.1 or higher.	[,6.3.8)[6.4rc1,7.0.6)[7.1rc1,7.2.3)[7.3rc1,7.3.1)
M Missing Authorization wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Missing Authorization via the `preview` endpoints in the admin interface. An attacker can obtain unauthorized preview renderings of pages, snippets, or site settings by crafting form submissions with arbitrary data. This may expose database contents that are otherwise restricted to users with edit access. Note: This is only exploitable if the attacker has access to the admin interface. How to fix Missing Authorization? Upgrade `wagtail` to version 6.3.6, 7.0.4, 7.1.3, 7.2.2, 7.3 or higher.	[,6.3.6)[6.4rc1,7.0.4)[7.1rc1,7.1.3)[7.2rc1,7.2.2)[7.3rc1,7.3)
H Regular Expression Denial of Service (ReDoS) wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the `parse_query_string` process. An attacker can cause the server to consume excessive resources and potentially crash by submitting specially crafted search queries. Note: This is only exploitable if the site uses the default or a custom search implementation that employs `parse_query_string`. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `wagtail` to version 5.2.6, 6.0.6, 6.1.3 or higher.	[,5.2.6)[6.0,6.0.6)[6.1,6.1.3)
M Improper Handling of Insufficient Permissions or Privileges wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the `wagtail.contrib.settings` module. An attacker with access to the admin and knowledge of the URL of the edit view for a settings model can modify settings without proper permissions. How to fix Improper Handling of Insufficient Permissions or Privileges? Upgrade `wagtail` to version 6.0.5, 6.1.2 or higher.	[,6.0.5)[6.1rc1,6.1.2)
L Race Condition wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Race Condition in `dispatch()` in `edit.py`, when two processes load the edit view of a page without a subscription. How to fix Race Condition? Upgrade `wagtail` to version 5.2rc1 or higher.	[,5.2rc1)
L Race Condition wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Race Condition in `create_or_update_for_object()` that could cause uniqueness errors when inserting reference index entries. How to fix Race Condition? Upgrade `wagtail` to version 5.2rc1 or higher.	[,5.2rc1)
L Direct Request ('Forced Browsing') wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Direct Request ('Forced Browsing') through the admin bulk action views. An attacker can disclose user names by making a direct URL request. Note: This is only exploitable if the attacker has a limited-permission editor account for the `Wagtail` admin. How to fix Direct Request ('Forced Browsing')? Upgrade `wagtail` to version 4.1.9, 5.0.5, 5.1.3 or higher.	[,4.1.9)[4.2,5.0.5)[5.1,5.1.3)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the TableBlock class attributes. A user with access to create or edit pages containing TableBlock StreamField blocks in the admin interface can execute arbitrary JavaScript code in the context of a higher-privileged user by crafting malicious class attributes, which are rendered when the page is viewed by an authenticated user with sufficient privileges.

How to fix Cross-site Scripting (XSS)?

Upgrade wagtail to version 6.3.8, 7.0.6, 7.2.3, 7.3.1 or higher.

[,6.3.8)[6.4rc1,7.0.6)[7.1rc1,7.2.3)[7.3rc1,7.3.1)

Cross-site Scripting (XSS)

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the wagtail.contrib.simple_translation module. A user with access to the admin area can execute arbitrary JavaScript code in the context of another user's session by creating a specially-crafted page title and having another authenticated user perform the "Translate" action in the admin interface. This may allow the attacker to perform actions with the victim's credentials.

How to fix Cross-site Scripting (XSS)?

Upgrade wagtail to version 6.3.8, 7.0.6, 7.2.3, 7.3.1 or higher.

[,6.3.8)[6.4rc1,7.0.6)[7.1rc1,7.2.3)[7.3rc1,7.3.1)

Missing Authorization

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Missing Authorization via the preview endpoints in the admin interface. An attacker can obtain unauthorized preview renderings of pages, snippets, or site settings by crafting form submissions with arbitrary data. This may expose database contents that are otherwise restricted to users with edit access.

Note: This is only exploitable if the attacker has access to the admin interface.

How to fix Missing Authorization?

Upgrade wagtail to version 6.3.6, 7.0.4, 7.1.3, 7.2.2, 7.3 or higher.

[,6.3.6)[6.4rc1,7.0.4)[7.1rc1,7.1.3)[7.2rc1,7.2.2)[7.3rc1,7.3)

Regular Expression Denial of Service (ReDoS)

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the parse_query_string process. An attacker can cause the server to consume excessive resources and potentially crash by submitting specially crafted search queries.

Note: This is only exploitable if the site uses the default or a custom search implementation that employs parse_query_string.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade wagtail to version 5.2.6, 6.0.6, 6.1.3 or higher.

[,5.2.6)[6.0,6.0.6)[6.1,6.1.3)

Improper Handling of Insufficient Permissions or Privileges

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the wagtail.contrib.settings module. An attacker with access to the admin and knowledge of the URL of the edit view for a settings model can modify settings without proper permissions.

How to fix Improper Handling of Insufficient Permissions or Privileges?

Upgrade wagtail to version 6.0.5, 6.1.2 or higher.

[,6.0.5)[6.1rc1,6.1.2)

Race Condition

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Race Condition in dispatch() in edit.py, when two processes load the edit view of a page without a subscription.

How to fix Race Condition?

Upgrade wagtail to version 5.2rc1 or higher.

[,5.2rc1)

Race Condition

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Race Condition in create_or_update_for_object() that could cause uniqueness errors when inserting reference index entries.

How to fix Race Condition?

Upgrade wagtail to version 5.2rc1 or higher.

[,5.2rc1)

Direct Request ('Forced Browsing')

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Direct Request ('Forced Browsing') through the admin bulk action views. An attacker can disclose user names by making a direct URL request.

Note:

This is only exploitable if the attacker has a limited-permission editor account for the Wagtail admin.

How to fix Direct Request ('Forced Browsing')?

Upgrade wagtail to version 4.1.9, 5.0.5, 5.1.3 or higher.

[,4.1.9)[4.2,5.0.5)[5.1,5.1.3)

wagtail@5.0.4 vulnerabilities

A Django content management system.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically