CVE-2020-5240

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-5240

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-5240.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-5240

Aliases

Related

GHSA-9gjv-6qq6-v7qm

Published

2020-03-13T22:15:11Z

Modified

2025-07-01T11:38:46.392909Z

Severity

8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N CVSS Calculator

Summary

[none]

Details

In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.

References

Affected packages

Git / github.com/labd/wagtail-2fa

Affected ranges

Type: GIT
Repo: https://github.com/labd/wagtail-2fa
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ac23550d33b7436e90e3beea904647907eba5b74

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.1.0

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0