VDB
KO
MEDIUM 6.1

GHSA-p4v8-rw59-93cq

Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface

Details

### Impact A stored Cross-site Scripting (XSS) vulnerability exists on confirmation messages within the `wagtail.contrib.simple_translation` module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

### Patches Patched versions have been released as Wagtail 6.3.8, 7.0.6, 7.2.3 and 7.3.1.

### Workarounds None

### Acknowledgements

Many thanks to Guan Chenxian (@GCXWLP) for reporting this issue.

### For more information

If there are any questions or comments about this advisory:

- Visit Wagtail's [support channels](https://docs.wagtail.io/en/stable/support.html) - Email Wagtail at [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / wagtail
Introduced in: 0 Fixed in: 6.3.8
Fix pip install --upgrade 'wagtail>=6.3.8'
PyPI / wagtail
Introduced in: 6.4rc1 Fixed in: 7.0.6
Fix pip install --upgrade 'wagtail>=7.0.6'
PyPI / wagtail
Introduced in: 7.1rc1 Fixed in: 7.2.3
Fix pip install --upgrade 'wagtail>=7.2.3'
PyPI / wagtail
Introduced in: 7.3rc1 Fixed in: 7.3.1
Fix pip install --upgrade 'wagtail>=7.3.1'

References