Release notes for 2.8.1

2020-04-14 02:04:16 +01:00 · 2020-04-14 02:04:16 +01:00 · deb1213148
commit deb1213148
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -45,6 +45,12 @@ Changelog
 * Fix: Invalid focal_point attribute on image edit view (Michał (Quadric) Sieradzki)


+2.8.1 (14.04.2020)
+~~~~~~~~~~~~~~~~~~
+
+ * Fix: CVE-2020-11001 - prevent XSS attack via page revision comparison view (Vlad Gerasimenko, Matt Westcott)
+
+
 2.8 (03.02.2020)
 ~~~~~~~~~~~~~~~~

--- a/docs/releases/2.8.1.rst
+++ b/docs/releases/2.8.1.rst
@ -0,0 +1,10 @@
+===========================
+Wagtail 2.8.1 release notes
+===========================
+
+CVE-2020-11001: Possible XSS attack via page revision comparison view
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This release addresses a cross-site scripting (XSS) vulnerability on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
+
+Many thanks to Vlad Gerasimenko for reporting this issue.
--- a/docs/releases/index.rst
+++ b/docs/releases/index.rst
@ -6,6 +6,7 @@ Release notes

   upgrading
   2.9
+   2.8.1
   2.8
   2.7.2
   2.7.1