FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-28 14:09:37 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
17efbe19-4e72-426a-8016-2b4e001c1378py-wagtail -- stored XSS vulnerability

A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface.

A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.

For page, the vulnerability is in the "Choose a parent page" ModelAdmin view, available when managing pages via ModelAdmin.

For documents, the vulnerability is in the ModelAdmin Inspect view when displaying document fields.


Discovery 2023-04-03
Entry 2023-08-31
py37-wagtail
py38-wagtail
py39-wagtail
py310-wagtail
py311-wagtail
< 4.1.4

ge 4.2.0 lt 4.2.2

CVE-2023-28836
https://osv.dev/vulnerability/GHSA-5286-f2rf-35c2
e1d3a580-cd8b-11ea-bad0-08002728f74cWagtail -- XSS vulnerability

GitHub Advisory Database:

When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.as_p (as directed in the documentation), any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.


Discovery 2020-07-20
Entry 2020-07-24
py36-wagtail
py37-wagtail
py38-wagtail
ge 2.8.0 lt 2.9.3

< 2.7.4

https://github.com/advisories/GHSA-2473-9hgq-j7xw
CVE-2020-15118
d5fead4f-8efa-11ea-a5c8-08002728f74cWagtail -- potential timing attack vulnerability

Wagtail release notes:

CVE-2020-11037: Potential timing attack on password-protected private pages

This release addresses a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is understood to be feasible on a local network, but not on the public internet.)


Discovery 2020-05-04
Entry 2020-05-05
py35-wagtail
py36-wagtail
py37-wagtail
py38-wagtail
< 2.7.3

ge 2.8 lt 2.8.2

https://docs.wagtail.io/en/latest/releases/2.8.2.html
https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6
CVE-2020-11037
8d85d600-84a9-11ea-97b9-08002728f74cWagtail -- XSS vulnerability

Wagtail release notes:

CVE-2020-11001: Possible XSS attack via page revision comparison view

This release addresses a cross-site scripting (XSS) vulnerability on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.


Discovery 2020-04-03
Entry 2020-04-22
py35-wagtail
py36-wagtail
py37-wagtail
py38-wagtail
< 2.7.2

https://docs.wagtail.io/en/latest/releases/2.7.2.html
https://github.com/advisories/GHSA-v2wc-pfq2-5cm6
CVE-2020-11001