GHSA-9gjv-6qq6-v7qm

Suggest an improvement
Source
https://github.com/advisories/GHSA-9gjv-6qq6-v7qm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-9gjv-6qq6-v7qm/GHSA-9gjv-6qq6-v7qm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9gjv-6qq6-v7qm
Aliases
Related
Published
2020-03-13T21:18:55Z
Modified
2024-11-19T15:49:42.579384Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N CVSS Calculator
  • 6.2 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N CVSS Calculator
Summary
2FA bypass through deleting devices in wagtail-2fa
Details

Impact

Any user with access to the CMS can view and delete other users' 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other user's device they can disable the target user's 2FA devices and potentially compromise the account if they figure out their password.

Patches

The problem has been patched in version 1.4.1.

Workarounds

There is no workaround for this issue.

For more information

If you have any questions or comments about this advisory: * Open an issue in github.com/labd/wagtail-2fa * Email us at security@labdigital.nl

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-13T21:18:19Z"
}
References

Affected packages

PyPI / wagtail-2fa

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.1

Affected versions

0.*

0.0.1
0.0.2
0.0.3
0.1.0

1.*

1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0