Wagtail TableBlock Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Wagtail's TableBlock feature within StreamFields. This issue affects Wagtail versions prior to 6.3.8, as well as 6.4, 7.0.0 through 7.0.5, 7.1.0 through 7.2.2, and 7.3.0. The vulnerability allows users with page editing privileges to inject malicious JavaScript into class attributes of TableBlock elements. When these pages are viewed by users with higher privileges, the injected script could be executed, potentially leading to unauthorized actions being performed with that user's credentials.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, create a TableBlock within a StreamField on a Wagtail site version that is vulnerable. Inject JavaScript payloads into the class attributes of the TableBlock. When the page is viewed by a user with higher privileges, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to Wagtail versions 6.3.8, 7.0.6, 7.2.3, or 7.3.1, where this vulnerability has been patched. Alternatively, users can set a template attribute on TableBlock definitions to reference a template that does not output class attributes.