Release notes for 2.7.2

2020-04-14 01:53:38 +01:00 · 2020-04-14 01:53:38 +01:00 · 1d043914b4
commit 1d043914b4
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -83,6 +83,12 @@ Changelog
 * Fix: Make sure all modal chooser search results correspond to the latest search by canceling previous requests (Esper Kuijs)


+2.7.2 (14.04.2020)
+~~~~~~~~~~~~~~~~~~
+
+ * Fix: CVE-2020-11001 - prevent XSS attack via page revision comparison view (Vlad Gerasimenko, Matt Westcott)
+
+
 2.7.1 (08.01.2020)
 ~~~~~~~~~~~~~~~~~~

--- a/CONTRIBUTORS.rst
+++ b/CONTRIBUTORS.rst
@ -444,6 +444,7 @@ Contributors
 * Karran Besen
 * Mohamed Feddad
 * Michał (Quadric) Sieradzki
+* Vlad Gerasimenko

 Translators
 ===========
--- a/docs/releases/2.7.2.rst
+++ b/docs/releases/2.7.2.rst
@ -0,0 +1,10 @@
+===========================
+Wagtail 2.7.2 release notes
+===========================
+
+CVE-2020-11001: Possible XSS attack via page revision comparison view
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This release addresses a cross-site scripting (XSS) vulnerability on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
+
+Many thanks to Vlad Gerasimenko for reporting this issue.
--- a/docs/releases/index.rst
+++ b/docs/releases/index.rst
@ -7,6 +7,7 @@ Release notes
   upgrading
   2.9
   2.8
+   2.7.2
   2.7.1
   2.7
   2.6.3