wagtail 2.16rc2 vulnerabilities

Known vulnerabilities in the wagtail package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Regular Expression Denial of Service (ReDoS) wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the `parse_query_string` process. An attacker can cause the server to consume excessive resources and potentially crash by submitting specially crafted search queries. Note: This is only exploitable if the site uses the default or a custom search implementation that employs `parse_query_string`. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `wagtail` to version 5.2.6, 6.0.6, 6.1.3 or higher.	[,5.2.6)[6.0,6.0.6)[6.1,6.1.3)
M Improper Handling of Insufficient Permissions or Privileges wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the `wagtail.contrib.settings` module. An attacker with access to the admin and knowledge of the URL of the edit view for a settings model can modify settings without proper permissions. How to fix Improper Handling of Insufficient Permissions or Privileges? Upgrade `wagtail` to version 6.0.5, 6.1.2 or higher.	[,6.0.5)[6.1rc1,6.1.2)
L Race Condition wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Race Condition in `dispatch()` in `edit.py`, when two processes load the edit view of a page without a subscription. How to fix Race Condition? Upgrade `wagtail` to version 5.2rc1 or higher.	[,5.2rc1)
L Race Condition wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Race Condition in `create_or_update_for_object()` that could cause uniqueness errors when inserting reference index entries. How to fix Race Condition? Upgrade `wagtail` to version 5.2rc1 or higher.	[,5.2rc1)
L Direct Request ('Forced Browsing') wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Direct Request ('Forced Browsing') through the admin bulk action views. An attacker can disclose user names by making a direct URL request. Note: This is only exploitable if the attacker has a limited-permission editor account for the `Wagtail` admin. How to fix Direct Request ('Forced Browsing')? Upgrade `wagtail` to version 4.1.9, 5.0.5, 5.1.3 or higher.	[,4.1.9)[4.2,5.0.5)[5.1,5.1.3)
M Cross-site Scripting (XSS) wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `ModelAdmin` views within the admin interface due to improper user input sanitization. A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials. Note: The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with `ModelAdmin` enabled. How to fix Cross-site Scripting (XSS)? Upgrade `wagtail` to version 4.1.4, 4.2.2 or higher.	[1.5,4.1.4)[4.2,4.2.2)
M Denial of Service (DoS) wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper file size validation, which allows a user with access to upload images or documents through the Wagtail admin interface to upload a very large file. Note: The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. How to fix Denial of Service (DoS)? Upgrade `wagtail` to version 4.1.4, 4.2.2 or higher.	[,4.1.4)[4.2,4.2.2)

Vulnerability

Vulnerable Version

Regular Expression Denial of Service (ReDoS)

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the parse_query_string process. An attacker can cause the server to consume excessive resources and potentially crash by submitting specially crafted search queries.

Note: This is only exploitable if the site uses the default or a custom search implementation that employs parse_query_string.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade wagtail to version 5.2.6, 6.0.6, 6.1.3 or higher.

[,5.2.6)[6.0,6.0.6)[6.1,6.1.3)

Improper Handling of Insufficient Permissions or Privileges

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the wagtail.contrib.settings module. An attacker with access to the admin and knowledge of the URL of the edit view for a settings model can modify settings without proper permissions.

How to fix Improper Handling of Insufficient Permissions or Privileges?

Upgrade wagtail to version 6.0.5, 6.1.2 or higher.

[,6.0.5)[6.1rc1,6.1.2)

Race Condition

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Race Condition in dispatch() in edit.py, when two processes load the edit view of a page without a subscription.

How to fix Race Condition?

Upgrade wagtail to version 5.2rc1 or higher.

[,5.2rc1)

Race Condition

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Race Condition in create_or_update_for_object() that could cause uniqueness errors when inserting reference index entries.

How to fix Race Condition?

Upgrade wagtail to version 5.2rc1 or higher.

[,5.2rc1)

Direct Request ('Forced Browsing')

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Direct Request ('Forced Browsing') through the admin bulk action views. An attacker can disclose user names by making a direct URL request.

Note:

This is only exploitable if the attacker has a limited-permission editor account for the Wagtail admin.

How to fix Direct Request ('Forced Browsing')?

Upgrade wagtail to version 4.1.9, 5.0.5, 5.1.3 or higher.

[,4.1.9)[4.2,5.0.5)[5.1,5.1.3)

Cross-site Scripting (XSS)

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ModelAdmin views within the admin interface due to improper user input sanitization. A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials.

Note: The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.

How to fix Cross-site Scripting (XSS)?

Upgrade wagtail to version 4.1.4, 4.2.2 or higher.

[1.5,4.1.4)[4.2,4.2.2)

Denial of Service (DoS)

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper file size validation, which allows a user with access to upload images or documents through the Wagtail admin interface to upload a very large file.

Note: The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents.

How to fix Denial of Service (DoS)?

Upgrade wagtail to version 4.1.4, 4.2.2 or higher.

[,4.1.4)[4.2,4.2.2)

wagtail@2.16rc2 vulnerabilities

A Django content management system.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?