CVE-2023-45809

Name of the Vulnerable Software and Affected Versions Wagtail versions prior to 4.1.8 Wagtail versions prior to 5.0.5 Wagtail versions prior to 5.1.3

Description A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The issue is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Recommendations For versions prior to 4.1.8, upgrade to Wagtail 4.1.8 (LTS) or later. For versions prior to 5.0.5, upgrade to Wagtail 5.0.5 or later. For versions prior to 5.1.3, upgrade to Wagtail 5.1.3 or later. As a temporary workaround, consider restricting access to the admin view that handles bulk actions on user accounts until a patch is available.