Skip to content

Commit 55cb4b8

Browse files
committed
Release notes for 2.7.2
1 parent 60b1146 commit 55cb4b8

4 files changed

Lines changed: 18 additions & 0 deletions

File tree

CHANGELOG.txt

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,12 @@
11
Changelog
22
=========
33

4+
2.7.2 (14.04.2020)
5+
~~~~~~~~~~~~~~~~~~
6+
7+
* Fix: CVE-2020-11001 - prevent XSS attack via page revision comparison view (Vlad Gerasimenko, Matt Westcott)
8+
9+
410
2.7.1 (08.01.2020)
511
~~~~~~~~~~~~~~~~~~
612

CONTRIBUTORS.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -418,6 +418,7 @@ Contributors
418418
* ryanomor
419419
* Thijs Baaijen
420420
* Stefani Castellanos
421+
* Vlad Gerasimenko
421422

422423
Translators
423424
===========

docs/releases/2.7.2.rst

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
===========================
2+
Wagtail 2.7.2 release notes
3+
===========================
4+
5+
CVE-2020-11001: Possible XSS attack via page revision comparison view
6+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7+
8+
This release addresses a cross-site scripting (XSS) vulnerability on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
9+
10+
Many thanks to Vlad Gerasimenko for reporting this issue.

docs/releases/index.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ Release notes
55
:maxdepth: 1
66

77
upgrading
8+
2.7.2
89
2.7.1
910
2.7
1011
2.6.3

0 commit comments

Comments
 (0)