PT-2020-18336 · Wagtail · Wagtail-2Fa

Published

2020-03-13

Updated

2020-03-18

CVE-2020-5240

CVSS v3.1

8.5

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Name of the Vulnerable Software and Affected Versions wagtail-2fa versions prior to 1.4.1

Description The issue allows any user with access to the CMS to view and delete other users' 2FA devices by going to the correct path, without requiring special permissions. By deleting another user's device, an attacker can disable the target user's 2FA devices and potentially compromise the account if they figure out the password.

Recommendations For versions prior to 1.4.1, update to version 1.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the CMS to minimize the risk of exploitation.

Fix

Improper Authorization

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-863

Related Identifiers

CVE-2020-5240

GHSA-9GJV-6QQ6-V7QM

PYSEC-2020-219

Affected Products

Wagtail-2Fa

PT-2020-18336 · Wagtail · Wagtail-2Fa

CVE-2020-5240

Weakness Enumeration

Related Identifiers

Affected Products

References · 9