SCA: security update for wagtail (GHSA-5286-f2rf-35c2)

high Tenable Cloud Security Plugin ID 410500

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Wagtail is an open source content management system built on Django. Starting in version 1.5 and prior to
versions 4.1.4 and 4.2.2, a stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views
within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin
could potentially craft pages and documents that, when viewed by a user with higher privileges, could
perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site
visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled. For page, the
vulnerability is in the "Choose a parent page" ModelAdmin view (`ChooseParentView`), available when
managing pages via ModelAdmin. For documents, the vulnerability is in the ModelAdmin Inspect view
(`InspectView`) when displaying document fields. Patched versions have been released as Wagtail 4.1.4 and
Wagtail 4.2.2. Site owners who are unable to upgrade to the new versions can disable or override the
corresponding functionality. (CVE-2023-28836)

See Also

https://github.com/advisories/GHSA-5286-f2rf-35c2

Plugin Details

Severity: High

ID: 410500

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2023-28836

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.5

Threat Score: 4.8

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/3/2023

Vulnerability Publication Date: 4/3/2023

Reference Information

CVE: CVE-2023-28836

cwe: CWE-79