SCA: security update for wagtail (GHSA-xqxm-2rpm-3889)

medium Tenable Self-Hosted Container Security Plugin ID 420630

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Wagtail is a Django based content management system focused on flexibility and user experience. When
notifications for new replies in comment threads are sent, they are sent to all users who have replied or
commented anywhere on the site, rather than only in the relevant threads. This means that a user could
listen in to new comment replies on pages they have not have editing access to, as long as they have left
a comment or reply somewhere on the site. A patched version has been released as Wagtail 2.15.2, which
restores the intended behaviour - to send notifications for new replies to the participants in the active
thread only (editing permissions are not considered). New comments can be disabled by setting
`WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings file. (CVE-2022-21683)

See Also

https://github.com/advisories/GHSA-xqxm-2rpm-3889

Plugin Details

Severity: Medium

ID: 420630

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2022-21683

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.1

Threat Score: 1.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/21/2022

Vulnerability Publication Date: 1/18/2022

Reference Information

CVE: CVE-2022-21683

cwe: CWE-200