CVE-2023-28836: 
Python vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability (CVE-2023-28836) was discovered in Wagtail, an open source content management system built on Django. The vulnerability affects versions from 1.5 up to (excluding) 4.1.4 and versions from 4.2 up to (excluding) 4.2.2. The issue was discovered in April 2023 and patched with the release of versions 4.1.4 and 4.2.2 (GitHub Advisory).

The vulnerability exists on ModelAdmin views within the Wagtail admin interface. Specifically, it affects two components: the 'Choose a parent page' ModelAdmin view (ChooseParentView) when managing pages via ModelAdmin, and the ModelAdmin Inspect view (InspectView) when displaying document fields. The issue stems from improper HTML escaping of user-controlled content in these views. The vulnerability has a CVSS v3.1 base score of 6.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H) (NVD).

A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by ordinary site visitors without access to the Wagtail admin, and only affects sites with ModelAdmin enabled (GitHub Advisory).

Patched versions have been released as Wagtail 4.1.4 and 4.2.2. For users unable to upgrade, several workarounds are available: For ChooseParentView, options include disabling ModelAdmin for all page models or providing a custom view via choose_parent_view_class with proper HTML escaping. For InspectView, solutions include removing inspect_view_enabled=True, using inspect_view_fields to prevent displaying document fields, or providing a custom view via inspect_view_class with proper escaping (GitHub Advisory).