From a44312f48f436df50bc920aa9b071de47cdcbb78 Mon Sep 17 00:00:00 2001 From: Matt Westcott Date: Mon, 19 Apr 2021 09:59:01 +0100 Subject: [PATCH] Release note for CVE-2021-29434 in 2.12.4 --- CHANGELOG.txt | 1 + CONTRIBUTORS.rst | 1 + docs/releases/2.12.4.rst | 8 ++++++++ 3 files changed, 10 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 07d49fc218..a6cd2d1cf5 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -40,6 +40,7 @@ Changelog 2.12.4 (xx.xx.xxxx) ~~~~~~~~~~~~~~~~~~~ + * Fix: CVE-2021-29434 - fix improper validation of URLs ('Cross-site Scripting') in rich text fields (Kevin Breen, Matt Westcott) * Fix: Reverse migration errors in images and documents (Mike Brown) * Fix: Avoid wagtailembeds migration failure on MySQL 8.0.13+ (Matt Westcott) diff --git a/CONTRIBUTORS.rst b/CONTRIBUTORS.rst index 018214b2aa..982abb18d2 100644 --- a/CONTRIBUTORS.rst +++ b/CONTRIBUTORS.rst @@ -504,6 +504,7 @@ Contributors * Susan Dreher * Dale Evans * Vlad Podgurschi +* Kevin Breen Translators =========== diff --git a/docs/releases/2.12.4.rst b/docs/releases/2.12.4.rst index 089a09c2a1..21b6a5da11 100644 --- a/docs/releases/2.12.4.rst +++ b/docs/releases/2.12.4.rst @@ -10,6 +10,14 @@ Wagtail 2.12.4 release notes - IN DEVELOPMENT What's new ========== +CVE-2021-29434: Improper validation of URLs ('Cross-site Scripting') in rich text fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This release addresses a cross-site scripting (XSS) vulnerability in rich text fields. When saving the contents of a rich text field in the admin interface, Wagtail did not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. + +Many thanks to Kevin Breen for reporting this issue. + + Bug fixes ~~~~~~~~~