PT-2019-14822 · Wagtail · Wagtail-2Fa

Michiel Bijland

Publicado

2019-11-29

Atualizado

2020-10-09

CVE-2019-16766

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions wagtail-2fa versions prior to 1.3.0

Description The issue allows an attacker to bypass the 2FA check by changing the URL after gaining access to someone's Wagtail login credentials. They can then add a new device and gain full access to the CMS.

Recommendations For versions prior to 1.3.0, update to version 1.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the device addition functionality until the update is applied.

Correção

Authentication Bypass by Spoofing

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-290CWE-304

Identificadores relacionados

CVE-2019-16766

GHSA-89PX-WW3J-G2MM

PYSEC-2019-135

Produtos afetados

Wagtail-2Fa

PT-2019-14822 · Wagtail · Wagtail-2Fa

CVE-2019-16766

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10