Release note for CVE-2021-29434 in 2.12.4

2021-04-19 09:59:01 +01:00 · 2021-04-19 09:59:01 +01:00 · a44312f48f
commit a44312f48f
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -40,6 +40,7 @@ Changelog
 2.12.4 (xx.xx.xxxx)
 ~~~~~~~~~~~~~~~~~~~

+ * Fix: CVE-2021-29434 - fix improper validation of URLs ('Cross-site Scripting') in rich text fields (Kevin Breen, Matt Westcott)
 * Fix: Reverse migration errors in images and documents (Mike Brown)
 * Fix: Avoid wagtailembeds migration failure on MySQL 8.0.13+ (Matt Westcott)
 
--- a/CONTRIBUTORS.rst
+++ b/CONTRIBUTORS.rst
@ -504,6 +504,7 @@ Contributors
 * Susan Dreher
 * Dale Evans
 * Vlad Podgurschi
+* Kevin Breen

 Translators
 ===========
--- a/docs/releases/2.12.4.rst
+++ b/docs/releases/2.12.4.rst
@ -10,6 +10,14 @@ Wagtail 2.12.4 release notes - IN DEVELOPMENT
 What's new
 ==========

+CVE-2021-29434: Improper validation of URLs ('Cross-site Scripting') in rich text fields
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This release addresses a cross-site scripting (XSS) vulnerability in rich text fields. When saving the contents of a rich text field in the admin interface, Wagtail did not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
+
+Many thanks to Kevin Breen for reporting this issue.
+
+
 Bug fixes
 ~~~~~~~~~