GHSA-fc75-58r8-rm3h

Source

https://github.com/advisories/GHSA-fc75-58r8-rm3h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-fc75-58r8-rm3h/GHSA-fc75-58r8-rm3h.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-fc75-58r8-rm3h

Aliases

Published

2023-10-19T15:50:58Z

Modified

2023-11-10T05:27:57.970440Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Wagtail vulnerable to disclosure of user names via admin bulk action views

Details

Impact

A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 4.1.9 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release.

Workarounds

None.

Acknowledgements

Many thanks to @quyenheu for reporting this issue.

For more information

If you have any questions or comments about this advisory:

Visit Wagtail's support channels
Email us at security@wagtail.org (view our security policy for more information).

Database specific

{
    "nvd_published_at": "2023-10-19T19:15:15Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-425",
        "CWE-532"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-19T15:50:58Z"
}

References

Affected packages

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.9

Affected versions

0.*

0.1

0.2

0.3

0.3.1

0.4

0.4.1

0.5

0.6

0.7

0.8

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.8.10

1.*

1.0b1

1.0b2

1.0rc1

1.0rc2

1.0

1.1rc1

1.1

1.2rc1

1.2

1.3rc1

1.3

1.3.1

1.4rc1

1.4

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.5rc1

1.5

1.5.1

1.5.2

1.5.3

1.6rc1

1.6

1.6.1

1.6.2

1.6.3

1.7rc1

1.7

1.8rc1

1.8

1.8.1

1.8.2

1.9rc1

1.9

1.9.1

1.10rc1

1.10

1.10.1

1.11rc1

1.11

1.11.1

1.12rc1

1.12

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.13rc1

1.13

1.13.1

1.13.2

1.13.3

1.13.4

2.*

2.0b1

2.0rc1

2.0

2.0.1

2.0.2

2.1rc1

2.1rc2

2.1

2.1.1

2.1.2

2.1.3

2.2rc1

2.2rc2

2.2

2.2.1

2.2.2

2.3rc1

2.3rc2

2.3

2.4rc1

2.4

2.5rc1

2.5

2.5.1

2.5.2

2.6rc1

2.6

2.6.1

2.6.2

2.6.3

2.7rc1

2.7rc2

2.7

2.7.1

2.7.2

2.7.3

2.7.4

2.8rc1

2.8

2.8.1

2.8.2

2.9rc1

2.9

2.9.1

2.9.2

2.9.3

2.10rc1

2.10rc2

2.10

2.10.1

2.10.2

2.11rc1

2.11

2.11.1

2.11.2

2.11.3

2.11.4

2.11.5

2.11.6

2.11.7

2.11.8

2.11.9

2.12rc1

2.12

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.12.6

2.13rc1

2.13rc2

2.13rc3

2.13

2.13.1

2.13.2

2.13.3

2.13.4

2.13.5

2.14rc1

2.14

2.14.1

2.14.2

2.15rc1

2.15rc2

2.15

2.15.1

2.15.2

2.15.3

2.15.4

2.15.5

2.15.6

2.16rc1

2.16rc2

2.16

2.16.1

2.16.2

2.16.3

3.*

3.0rc1

3.0rc2

3.0rc3

3.0

3.0.1

3.0.2

3.0.3

4.*

4.0rc1

4.0rc2

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1rc1

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

5.0.5

Affected versions

4.*

4.2

4.2.1

4.2.2

4.2.3

4.2.4

5.*

5.0rc1

5.0

5.0.1

5.0.2

5.0.3

5.0.4

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.1.0

Fixed

5.1.3

Affected versions

5.*

5.1

5.1.1

5.1.2