FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2025-02-02 08:34:31 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
17efbe19-4e72-426a-8016-2b4e001c1378	py-wagtail -- stored XSS vulnerability A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled. For page, the vulnerability is in the "Choose a parent page" ModelAdmin view, available when managing pages via ModelAdmin. For documents, the vulnerability is in the ModelAdmin Inspect view when displaying document fields. Discovery 2023-04-03 Entry 2023-08-31 py37-wagtail py38-wagtail py39-wagtail py310-wagtail py311-wagtail < 4.1.4 >= 4.2.0 lt 4.2.2 CVE-2023-28836 https://osv.dev/vulnerability/GHSA-5286-f2rf-35c2
e1d3a580-cd8b-11ea-bad0-08002728f74c	Wagtail -- XSS vulnerability GitHub Advisory Database: When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.as_p (as directed in the documentation), any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Discovery 2020-07-20 Entry 2020-07-24 py36-wagtail py37-wagtail py38-wagtail >= 2.8.0 lt 2.9.3 < 2.7.4 https://github.com/advisories/GHSA-2473-9hgq-j7xw CVE-2020-15118

VuXML ID

Description

17efbe19-4e72-426a-8016-2b4e001c1378

py-wagtail -- stored XSS vulnerability

A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface.

A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.

For page, the vulnerability is in the "Choose a parent page" ModelAdmin view, available when managing pages via ModelAdmin.

For documents, the vulnerability is in the ModelAdmin Inspect view when displaying document fields.

Discovery 2023-04-03
Entry 2023-08-31
py37-wagtail
py38-wagtail
py39-wagtail
py310-wagtail
py311-wagtail

< 4.1.4

>= 4.2.0 lt 4.2.2

CVE-2023-28836
https://osv.dev/vulnerability/GHSA-5286-f2rf-35c2

e1d3a580-cd8b-11ea-bad0-08002728f74c

Wagtail -- XSS vulnerability

GitHub Advisory Database:

When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.as_p (as directed in the documentation), any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Discovery 2020-07-20
Entry 2020-07-24
py36-wagtail
py37-wagtail
py38-wagtail

>= 2.8.0 lt 2.9.3

< 2.7.4

https://github.com/advisories/GHSA-2473-9hgq-j7xw
CVE-2020-15118