Miggo Logo

CVE-2021-32681: Cross-site Scripting in wagtail

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.52383%
Published
6/17/2021
Updated
11/19/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
wagtailpip< 2.11.82.11.8
wagtailpip>= 2.12, < 2.12.52.12.5
wagtailpip>= 2.13, < 2.13.22.13.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the {% include_block %} template tag's handling of FieldBlock-derived values without custom templates. The advisory explicitly states this tag's output isn't properly escaped for these cases. The workaround (using Django's {{ }} syntax which auto-escapes) confirms the issue lies in the template tag's escaping logic. The patched versions would have modified this function to add proper escaping, and the CWE-79 classification directly maps to missing output encoding in template rendering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n t** `{% in*lu**_*lo*k %}` t*mpl*t* t** is us** to output t** v*lu* o* * pl*in-t*xt Str**m*i*l* *lo*k (`***r*lo*k`, `T*xt*lo*k` or * simil*r us*r-***in** *lo*k **riv** *rom `*i*l**lo*k`), *n* t**t *lo*k *o*s not sp**i*y * t*mpl*t* *or

Reasoning

T** vuln*r**ility st*ms *rom t** `{% in*lu**_*lo*k %}` t*mpl*t* t**'s **n*lin* o* *i*l**lo*k-**riv** v*lu*s wit*out *ustom t*mpl*t*s. T** **visory *xpli*itly st*t*s t*is t**'s output isn't prop*rly *s**p** *or t**s* **s*s. T** work*roun* (usin* *j*n*