CVE-2020-15118 : Security Advisory and Response
Learn about CVE-2020-15118, a cross-site scripting vulnerability in Wagtail versions < 2.7.4 and >= 2.8.0, < 2.9.3, allowing HTML tags in form field help text, impacting confidentiality and integrity.
In Wagtail before versions 2.7.4 and 2.9.3, a vulnerability allows HTML tags within form field help text, potentially leading to cross-site scripting attacks.
Understanding CVE-2020-15118
What is CVE-2020-15118?
This CVE refers to a cross-site scripting vulnerability in Wagtail versions prior to 2.7.4 and 2.9.3, allowing editors to insert HTML tags in form field help text.
The Impact of CVE-2020-15118
The vulnerability could enable privilege escalation and cross-site scripting attacks, affecting confidentiality and integrity.
Technical Details of CVE-2020-15118
Vulnerability Description
- Wagtail versions < 2.7.4 and >= 2.8.0, < 2.9.3 are affected
- Editors could insert HTML tags in form field help text
Affected Systems and Versions
- Product: Wagtail
- Versions: < 2.7.4, >= 2.8.0, < 2.9.3
Exploitation Mechanism
- Editors using
wagtail.contrib.formsMitigation and Prevention
Immediate Steps to Take
- Upgrade to patched versions 2.7.4 or 2.9.3
- Set WAGTAILFORMS_HELP_TEXT_ALLOW_HTML = True to re-enable HTML in help text
Long-Term Security Practices
- Render form fields as per Django's documentation
- Omit the |safe filter when outputting help text
Patching and Updates
- Patched versions 2.7.4 and 2.9.3 escape help text to prevent HTML inclusion