A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.
For page, the vulnerability is in the "Choose a parent page" ModelAdmin view (ChooseParentView), available when managing pages via ModelAdmin.
For documents, the vulnerability is in the ModelAdmin Inspect view (InspectView) when displaying document fields.
Patches
Patched versions have been released as Wagtail 4.1.4 (for the LTS 4.1 branch) and Wagtail 4.2.2 (for the current 4.2 branch).
Workarounds
Site owners who are unable to upgrade to the new versions can disable or override the corresponding functionality.
Or provide a custom view via choose_parent_view_class, with the custom view overriding the get_form method.
One of those steps need to be applied for every ModelAdmin class hooked into Wagtail where the model is a Wagtail Page or sub-class. Here is an example of implementing the custom ChooseParentView with patched HTML escaping:
from django import forms
from django.utils.translation import gettext as _
from wagtail.contrib.modeladmin.views import ChooseParentView
from wagtail.contrib.modeladmin.forms import ParentChooserForm
class PatchedPageChoiceField(forms.ModelChoiceField):
"""PageChoiceField with plain-text breadcrumbs to patch stored XSS."""
def label_from_instance(self, obj):
bits = []
for ancestor in (
obj.get_ancestors(inclusive=True).exclude(depth=1).specific(defer=True)
):
bits.append(ancestor.get_admin_display_title())
return ' | '.join(bits)
class PatchedParentChooserForm(ParentChooserForm):
"""ParentChooserForm with custom parent_page to patch stored XSS."""
parent_page = PatchedPageChoiceField(
label=_("Parent page"),
required=True,
empty_label=None,
queryset=Page.objects.none(),
widget=forms.RadioSelect(),
)
class PatchedChooseParentView(ChooseParentView):
"""ChooseParentView with custom get_form patch stored XSS."""
def get_form(self, request):
parents = self.permission_helper.get_valid_parent_pages(request.user)
return PatchedParentChooserForm(parents, request.POST or None)
Or provide a custom view via inspect_view_class, with the custom view overriding the get_document_field_display method.
One of those steps need to be applied for every ModelAdmin class hooked into Wagtail where inspect_view_enabled=True. Here is an example of implementing the custom InspectView with patched HTML escaping:
from django.template.defaultfilters import filesizeformat
from django.utils.html import format_html
from wagtail.contrib.modeladmin.views import InspectView
class PatchedInspectView(InspectView):
"""InspectView with override to patch stored XSS vulnerability."""
def get_document_field_display(self, field_name, field):
"""Render a link to a document"""
document = getattr(self.instance, field_name)
if document:
return format_html(
'<a href="{}">{} <span class="meta">({}, {})</span></a>',
document.url,
document.title,
document.file_extension.upper(),
filesizeformat(document.file.size),
)
return self.model_admin.get_empty_value_display(field_name)
A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents.
Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.
Patches
Patched versions have been released as Wagtail 4.1.4 (for the LTS 4.1 branch) and Wagtail 4.2.2 (for the current 4.2 branch).
Workarounds
Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files. Exactly how this is done will vary based on your hosting environment, but here are a few references for common setups:
The changes themselves are deep inside Wagtail, making patching incredibly difficult.
Release Notes
wagtail/wagtail
### [`v4.1.4`](https://togithub.com/wagtail/wagtail/releases/tag/v4.1.4): 4.1.4
[Compare Source](https://togithub.com/wagtail/wagtail/compare/v4.1.3...v4.1.4)
- Fix: CVE-2023-28836 - Stored XSS attack via ModelAdmin views (Thibaud Colas)
- Fix: CVE-2023-28837 - Denial-of-service via memory exhaustion when uploading large files (Jake Howard)
- Fix: Fix radio and checkbox elements shrinking when using a long label (Sage Abdullah)
- Fix: Fix select elements expanding beyond their container when using a long option label (Sage Abdullah)
- Fix: Fix timezone handling of `TemplateResponse`s for users with a custom timezone (Stefan Hammer, Sage Abdullah)
- Fix: Ensure TableBlock initialisation correctly runs after load and its width is aligned with the parent panel (Dan Braghis)
- Fix: Ensure that the JavaScript media files are loaded by default in Snippet index listings for date fields (Sage Abdullah)
- Fix: Fix server-side caching of the icons sprite (Thibaud Colas)
- Fix: Always show Add buttons, guide lines, Move up/down, Duplicate, Delete; in StreamField and Inline Panel (Thibaud Colas)
- Fix: Ensure datetimepicker widget overlay shows over modals & drop-downs (LB (Ben) Johnston)
- Maintenance: Render large image renditions to disk (Jake Howard)
### [`v4.1.3`](https://togithub.com/wagtail/wagtail/releases/tag/v4.1.3): 4.1.3
[Compare Source](https://togithub.com/wagtail/wagtail/compare/v4.1.2...v4.1.3)
- Fix: Add right-to-left (RTL) support for the following form components: Switch, Minimap, live preview (Thibaud Colas)
- Fix: Improve right-to-left (RTL) positioning for the following components: Page explorer, Sidebar sub-menu, rich text tooltips, rich text toolbar trigger, editor section headers (Thibaud Colas)
- Fix: Ensure links within help blocks meet colour contrast guidelines for accessibility (Theresa Okoro)
- Fix: Support creating `StructValue` copies (Tidiane Dia)
- Fix: Fix "Edit this page" missing from userbar (Satvik Vashisht)
- Fix: Prevent audit log report from failing on missing models (Andy Chosak)
- Fix: Add missing log information for `wagtail.schedule.cancel` (Stefan Hammer)
- Fix: Fix timezone activation leaking into subsequent requests in `require_admin_access()` (Stefan Hammer)
- Fix: Prevent matches from unrelated models from leaking into SQLite FTS searches (Matt Westcott)
- Docs: Clarify `ClusterableModel` requirements for using relations with `RevisionMixin`-enabled models (Sage Abdullah)
- Maintenance: Update Algolia DocSearch to use new application and correct versioning setup (Thibaud Colas)
### [`v4.1.2`](https://togithub.com/wagtail/wagtail/releases/tag/v4.1.2): 4.1.2
[Compare Source](https://togithub.com/wagtail/wagtail/compare/v4.1.1...v4.1.2)
- Fix: Make "Cancel scheduled publish" button correctly redirect back to the edit view (Sage Abdullah)
- Fix: Prevent crash when reverting revisions on a snippet with `PreviewableMixin` applied (Sage Abdullah)
- Fix: Use consistent heading styles on top-level fields in the page editor (Sage Abdullah)
- Fix: Allow button labels to wrap onto two lines in dropdown buttons (Coen van der Kamp)
- Fix: Move DateField, DateTimeField, TimeField comment buttons to be right next to the fields (Theresa Okoro)
- Fix: Support text resizing in workflow steps cards (Ivy Jeptoo)
- Fix: Use the correct padding for autocomplete block picker (Umar Farouk Yunusa)
- Fix: Fix horizontal positioning of rich text inline toolbar (Thibaud Colas)
- Fix: Close the userbar when clicking its toggle (Albina Starykova)
- Fix: Do not show bulk actions checkbox in page type usage view (Sage Abdullah)
- Fix: Prevent account name from overflowing the sidebar (Aman Pandey)
- Fix: Ensure edit form is displayed as unlocked immediately after cancelling a workflow (Sage Abdullah)
- Fix: Prevent `latest_revision` pointer from being copied over when copying translatable snippets for translation (Sage Abdullah)
- Docs: Document potential data loss for BaseLogEntry migration in 3.0 (Sage Abdullah)
- Docs: Add documentation for the reference index mechanism (Daniel Kirkham)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
==4.1.1->==4.1.4GitHub Vulnerability Alerts
CVE-2023-28836
Impact
A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.
ChooseParentView), available when managing pages via ModelAdmin.InspectView) when displaying document fields.Patches
Patched versions have been released as Wagtail 4.1.4 (for the LTS 4.1 branch) and Wagtail 4.2.2 (for the current 4.2 branch).
Workarounds
Site owners who are unable to upgrade to the new versions can disable or override the corresponding functionality.
ChooseParentViewFor
ChooseParentView:choose_parent_view_class, with the custom view overriding theget_formmethod.One of those steps need to be applied for every
ModelAdminclass hooked into Wagtail where the model is a WagtailPageor sub-class. Here is an example of implementing the customChooseParentViewwith patched HTML escaping:InspectViewFor
InspectView:inspect_view_enabled=Trueor set it to False to disable the view.inspect_view_fieldsorinspect_view_fields_excludeto prevent displaying document fields in the views.inspect_view_class, with the custom view overriding theget_document_field_displaymethod.One of those steps need to be applied for every
ModelAdminclass hooked into Wagtail whereinspect_view_enabled=True. Here is an example of implementing the customInspectViewwith patched HTML escaping:CVE-2023-28837
Impact
A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents.
Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.
Patches
Patched versions have been released as Wagtail 4.1.4 (for the LTS 4.1 branch) and Wagtail 4.2.2 (for the current 4.2 branch).
Workarounds
Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files. Exactly how this is done will vary based on your hosting environment, but here are a few references for common setups:
client_max_body_sizeLimitRequestBodySizeConstrainttraefik.http.middlewares.limit.buffering.maxRequestBodyBytesThe changes themselves are deep inside Wagtail, making patching incredibly difficult.
Release Notes
wagtail/wagtail
### [`v4.1.4`](https://togithub.com/wagtail/wagtail/releases/tag/v4.1.4): 4.1.4 [Compare Source](https://togithub.com/wagtail/wagtail/compare/v4.1.3...v4.1.4) - Fix: CVE-2023-28836 - Stored XSS attack via ModelAdmin views (Thibaud Colas) - Fix: CVE-2023-28837 - Denial-of-service via memory exhaustion when uploading large files (Jake Howard) - Fix: Fix radio and checkbox elements shrinking when using a long label (Sage Abdullah) - Fix: Fix select elements expanding beyond their container when using a long option label (Sage Abdullah) - Fix: Fix timezone handling of `TemplateResponse`s for users with a custom timezone (Stefan Hammer, Sage Abdullah) - Fix: Ensure TableBlock initialisation correctly runs after load and its width is aligned with the parent panel (Dan Braghis) - Fix: Ensure that the JavaScript media files are loaded by default in Snippet index listings for date fields (Sage Abdullah) - Fix: Fix server-side caching of the icons sprite (Thibaud Colas) - Fix: Always show Add buttons, guide lines, Move up/down, Duplicate, Delete; in StreamField and Inline Panel (Thibaud Colas) - Fix: Ensure datetimepicker widget overlay shows over modals & drop-downs (LB (Ben) Johnston) - Maintenance: Render large image renditions to disk (Jake Howard) ### [`v4.1.3`](https://togithub.com/wagtail/wagtail/releases/tag/v4.1.3): 4.1.3 [Compare Source](https://togithub.com/wagtail/wagtail/compare/v4.1.2...v4.1.3) - Fix: Add right-to-left (RTL) support for the following form components: Switch, Minimap, live preview (Thibaud Colas) - Fix: Improve right-to-left (RTL) positioning for the following components: Page explorer, Sidebar sub-menu, rich text tooltips, rich text toolbar trigger, editor section headers (Thibaud Colas) - Fix: Ensure links within help blocks meet colour contrast guidelines for accessibility (Theresa Okoro) - Fix: Support creating `StructValue` copies (Tidiane Dia) - Fix: Fix "Edit this page" missing from userbar (Satvik Vashisht) - Fix: Prevent audit log report from failing on missing models (Andy Chosak) - Fix: Add missing log information for `wagtail.schedule.cancel` (Stefan Hammer) - Fix: Fix timezone activation leaking into subsequent requests in `require_admin_access()` (Stefan Hammer) - Fix: Prevent matches from unrelated models from leaking into SQLite FTS searches (Matt Westcott) - Docs: Clarify `ClusterableModel` requirements for using relations with `RevisionMixin`-enabled models (Sage Abdullah) - Maintenance: Update Algolia DocSearch to use new application and correct versioning setup (Thibaud Colas) ### [`v4.1.2`](https://togithub.com/wagtail/wagtail/releases/tag/v4.1.2): 4.1.2 [Compare Source](https://togithub.com/wagtail/wagtail/compare/v4.1.1...v4.1.2) - Fix: Make "Cancel scheduled publish" button correctly redirect back to the edit view (Sage Abdullah) - Fix: Prevent crash when reverting revisions on a snippet with `PreviewableMixin` applied (Sage Abdullah) - Fix: Use consistent heading styles on top-level fields in the page editor (Sage Abdullah) - Fix: Allow button labels to wrap onto two lines in dropdown buttons (Coen van der Kamp) - Fix: Move DateField, DateTimeField, TimeField comment buttons to be right next to the fields (Theresa Okoro) - Fix: Support text resizing in workflow steps cards (Ivy Jeptoo) - Fix: Use the correct padding for autocomplete block picker (Umar Farouk Yunusa) - Fix: Fix horizontal positioning of rich text inline toolbar (Thibaud Colas) - Fix: Close the userbar when clicking its toggle (Albina Starykova) - Fix: Do not show bulk actions checkbox in page type usage view (Sage Abdullah) - Fix: Prevent account name from overflowing the sidebar (Aman Pandey) - Fix: Ensure edit form is displayed as unlocked immediately after cancelling a workflow (Sage Abdullah) - Fix: Prevent `latest_revision` pointer from being copied over when copying translatable snippets for translation (Sage Abdullah) - Docs: Document potential data loss for BaseLogEntry migration in 3.0 (Sage Abdullah) - Docs: Add documentation for the reference index mechanism (Daniel Kirkham)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.