CVE-2020-11001: 
Python vulnerability analysis and mitigation

CVE-2020-11001 is a cross-site scripting (XSS) vulnerability discovered in Wagtail versions before 2.8.1 and 2.7.2. The vulnerability exists in the page revision comparison view within the Wagtail admin interface. The issue was disclosed on April 14, 2020, affecting Wagtail versions from 1.9 through 2.7.1 and 2.8 (GitHub Advisory).

The vulnerability is classified as a cross-site scripting (XSS) issue, with a CVSS v3.1 base score of 6.8 (Medium) according to NVD, and 5.8 (Medium) according to GitHub. The vulnerability exists specifically in the page revision comparison view of the Wagtail admin interface, where HTML content was not properly escaped when displaying differences between revisions (NVD).

The vulnerability allows a user with limited-permission editor account access to the Wagtail admin to craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. It's important to note that the vulnerability is not exploitable by ordinary site visitors who don't have access to the Wagtail admin interface (GitHub Advisory).

The vulnerability has been patched in Wagtail versions 2.7.2 (for the LTS 2.7 branch) and 2.8.1 (for the 2.8 branch). For users unable to upgrade immediately, a workaround is available by disabling the revision comparison view through URL configuration in the project's urls.py file (GitHub Advisory).