wagtail 7.3rc1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the wagtail package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `TableBlock` class attributes. A user with access to create or edit pages containing `TableBlock` StreamField blocks in the admin interface can execute arbitrary JavaScript code in the context of a higher-privileged user by crafting malicious class attributes, which are rendered when the page is viewed by an authenticated user with sufficient privileges. How to fix Cross-site Scripting (XSS)? Upgrade `wagtail` to version 6.3.8, 7.0.6, 7.2.3, 7.3.1 or higher.	[,6.3.8)[6.4rc1,7.0.6)[7.1rc1,7.2.3)[7.3rc1,7.3.1)
M Cross-site Scripting (XSS) wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `wagtail.contrib.simple_translation` module. A user with access to the admin area can execute arbitrary JavaScript code in the context of another user's session by creating a specially-crafted page title and having another authenticated user perform the "Translate" action in the admin interface. This may allow the attacker to perform actions with the victim's credentials. How to fix Cross-site Scripting (XSS)? Upgrade `wagtail` to version 6.3.8, 7.0.6, 7.2.3, 7.3.1 or higher.	[,6.3.8)[6.4rc1,7.0.6)[7.1rc1,7.2.3)[7.3rc1,7.3.1)
M Missing Authorization wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Missing Authorization via the `preview` endpoints in the admin interface. An attacker can obtain unauthorized preview renderings of pages, snippets, or site settings by crafting form submissions with arbitrary data. This may expose database contents that are otherwise restricted to users with edit access. Note: This is only exploitable if the attacker has access to the admin interface. How to fix Missing Authorization? Upgrade `wagtail` to version 6.3.6, 7.0.4, 7.1.3, 7.2.2, 7.3 or higher.	[,6.3.6)[6.4rc1,7.0.4)[7.1rc1,7.1.3)[7.2rc1,7.2.2)[7.3rc1,7.3)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the TableBlock class attributes. A user with access to create or edit pages containing TableBlock StreamField blocks in the admin interface can execute arbitrary JavaScript code in the context of a higher-privileged user by crafting malicious class attributes, which are rendered when the page is viewed by an authenticated user with sufficient privileges.

How to fix Cross-site Scripting (XSS)?

Upgrade wagtail to version 6.3.8, 7.0.6, 7.2.3, 7.3.1 or higher.

[,6.3.8)[6.4rc1,7.0.6)[7.1rc1,7.2.3)[7.3rc1,7.3.1)

Cross-site Scripting (XSS)

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the wagtail.contrib.simple_translation module. A user with access to the admin area can execute arbitrary JavaScript code in the context of another user's session by creating a specially-crafted page title and having another authenticated user perform the "Translate" action in the admin interface. This may allow the attacker to perform actions with the victim's credentials.

How to fix Cross-site Scripting (XSS)?

Upgrade wagtail to version 6.3.8, 7.0.6, 7.2.3, 7.3.1 or higher.

[,6.3.8)[6.4rc1,7.0.6)[7.1rc1,7.2.3)[7.3rc1,7.3.1)

Missing Authorization

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Missing Authorization via the preview endpoints in the admin interface. An attacker can obtain unauthorized preview renderings of pages, snippets, or site settings by crafting form submissions with arbitrary data. This may expose database contents that are otherwise restricted to users with edit access.

Note: This is only exploitable if the attacker has access to the admin interface.

How to fix Missing Authorization?

Upgrade wagtail to version 6.3.6, 7.0.4, 7.1.3, 7.2.2, 7.3 or higher.

[,6.3.6)[6.4rc1,7.0.4)[7.1rc1,7.1.3)[7.2rc1,7.2.2)[7.3rc1,7.3)

wagtail@7.3rc1 vulnerabilities

A Django content management system.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically