Wagtail CMS Stored Cross-Site Scripting Vulnerability in Document Upload Feature

A stored cross-site scripting vulnerability has been identified in Wagtail CMS version 6.4.1. This issue arises within the document upload functionality, where attackers can embed malicious scripts into PDF files. When these files are accessed through the CMS interface, the injected scripts are executed. This vulnerability is particularly concerning when Wagtail is configured to use cloud storage services like AWS S3, as it can lead to bypassing of Wagtail's default privacy checks and execution of scripts in documents.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the document.

Reproduction

To reproduce this vulnerability, upload a PDF file containing a malicious script, such as one that triggers a JavaScript alert. After uploading, access the Wagtail CMS and locate the uploaded PDF. Click on the PDF link to open it. The malicious script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can mitigate this vulnerability by serving documents with a 'Content-Disposition: attachment' header to force downloads instead of inline viewing, which could execute scripts. Additionally, implementing a strict 'Content-Security-Policy' can prevent execution of embedded scripts. Wagtail has introduced a default 'Content-Security-Policy' header when serving documents through a Django view, but this may not apply if documents are served from a cloud storage service like S3.