FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
8d85d600-84a9-11ea-97b9-08002728f74cWagtail -- XSS vulnerability

Wagtail release notes:

CVE-2020-11001: Possible XSS attack via page revision comparison view

This release addresses a cross-site scripting (XSS) vulnerability on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.


Discovery 2020-04-03
Entry 2020-04-22
py35-wagtail
py36-wagtail
py37-wagtail
py38-wagtail
< 2.7.2

https://docs.wagtail.io/en/latest/releases/2.7.2.html
https://github.com/advisories/GHSA-v2wc-pfq2-5cm6
CVE-2020-11001
e1d3a580-cd8b-11ea-bad0-08002728f74cWagtail -- XSS vulnerability

GitHub Advisory Database:

When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.as_p (as directed in the documentation), any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.


Discovery 2020-07-20
Entry 2020-07-24
py36-wagtail
py37-wagtail
py38-wagtail
ge 2.8.0 lt 2.9.3

< 2.7.4

https://github.com/advisories/GHSA-2473-9hgq-j7xw
CVE-2020-15118
d5fead4f-8efa-11ea-a5c8-08002728f74cWagtail -- potential timing attack vulnerability

Wagtail release notes:

CVE-2020-11037: Potential timing attack on password-protected private pages

This release addresses a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is understood to be feasible on a local network, but not on the public internet.)


Discovery 2020-05-04
Entry 2020-05-05
py35-wagtail
py36-wagtail
py37-wagtail
py38-wagtail
< 2.7.3

ge 2.8 lt 2.8.2

https://docs.wagtail.io/en/latest/releases/2.8.2.html
https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6
CVE-2020-11037