PT-2024-26392 · Wagtail · Wagtail
Engineervix
·
Published
2024-05-30
·
Updated
2024-06-02
·
CVE-2024-35228
CVSS v3.1
5.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Wagtail versions prior to 6.0.5 and prior to 6.1.2
Description
Due to an improperly applied permission check in the
wagtail.contrib.settings module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and update that setting, even when they have not been granted permission over the model. The issue is not exploitable by an ordinary site visitor without access to the Wagtail admin.Recommendations
For Wagtail versions prior to 6.0.5, upgrade to version 6.0.5 or later.
For Wagtail versions prior to 6.1.2, upgrade to version 6.1.2 or later.
As a temporary workaround for
ModelViewSet, consider registering the model as a snippet instead.
Note that no workaround is available for wagtail.contrib.settings.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wagtail