Date: Fri, 24 Jul 2020 19:08:54 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r543372 - head/security/vuxml Message-ID: <202007241908.06OJ8s7t049638@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Fri Jul 24 19:08:54 2020 New Revision: 543372 URL: https://svnweb.freebsd.org/changeset/ports/543372 Log: Document wagtail vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Jul 24 19:08:48 2020 (r543371) +++ head/security/vuxml/vuln.xml Fri Jul 24 19:08:54 2020 (r543372) @@ -58,6 +58,46 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="e1d3a580-cd8b-11ea-bad0-08002728f74c"> + <topic>Wagtail -- XSS vulnerability</topic> + <affects> + <package> + <name>py36-wagtail</name> + <name>py37-wagtail</name> + <name>py38-wagtail</name> + <range><ge>2.8.0</ge><lt>2.9.3</lt></range> + <range><lt>2.7.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>GitHub Advisory Database:</p> + <blockquote cite="https://github.com/advisories/GHSA-2473-9hgq-j7xw"> + <p>When a form page type is made available to Wagtail editors through the + wagtail.contrib.forms app, and the page template is built using + Django's standard form rendering helpers such as form.as_p (as directed + in the documentation), any HTML tags used within a form field's help + text will be rendered unescaped in the page. Allowing HTML within help + text is an intentional design decision by Django; however, as a matter + of policy Wagtail does not allow editors to insert arbitrary HTML by + default, as this could potentially be used to carry out cross-site + scripting attacks, including privilege escalation. This functionality + should therefore not have been made available to editor-level users.</p> + <p>The vulnerability is not exploitable by an ordinary site visitor + without access to the Wagtail admin.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/advisories/GHSA-2473-9hgq-j7xw</url> + <cvename>CVE-2020-15118</cvename> + </references> + <dates> + <discovery>2020-07-20</discovery> + <entry>2020-07-24</entry> + </dates> + </vuln> + <vuln vid="456375e1-cd09-11ea-9172-4c72b94353b5"> <topic>pango -- buffer overflow</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007241908.06OJ8s7t049638>