When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0.
References
Link | Resource |
---|---|
https://github.com/LabD/wagtail-2fa/security/advisories/GHSA-89px-ww3j-g2mm | Third Party Advisory |
https://github.com/labd/wagtail-2fa/commit/13b12995d35b566df08a17257a23863ab6efb0ca | Patch Third Party Advisory |
https://github.com/labd/wagtail-2fa/commit/a6711b29711729005770ff481b22675b35ff5c81 | Patch Third Party Advisory |
Configurations
History
No history.
Information
Published : 2019-11-29 17:15
Updated : 2024-02-28 17:28
NVD link : CVE-2019-16766
Mitre link : CVE-2019-16766
CVE.ORG link : CVE-2019-16766
JSON object : View
Products Affected
labdigital
- wagtail-2fa
CWE
NVD-CWE-noinfo
CWE-290
Authentication Bypass by Spoofing
CWE-304Missing Critical Step in Authentication