PT-2019-14822 · Wagtail · Wagtail-2Fa

Michiel Bijland

Published

2019-11-29

Updated

2020-10-09

CVE-2019-16766

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions wagtail-2fa versions prior to 1.3.0

Description The issue allows an attacker to bypass the 2FA check by changing the URL after gaining access to someone's Wagtail login credentials. They can then add a new device and gain full access to the CMS.

Recommendations For versions prior to 1.3.0, update to version 1.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the device addition functionality until the update is applied.

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290CWE-304

Related Identifiers

CVE-2019-16766

GHSA-89PX-WW3J-G2MM

PYSEC-2019-135

Affected Products

Wagtail-2Fa

PT-2019-14822 · Wagtail · Wagtail-2Fa

CVE-2019-16766

Weakness Enumeration

Related Identifiers

Affected Products

References · 10