PYSEC-2020-219

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/wagtail-2fa/PYSEC-2020-219.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2020-219

Aliases

Published

2020-03-13T22:15:00Z

Modified

2023-11-01T04:53:22.054029Z

Summary

[none]

Details

In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.

References

Affected packages

PyPI / wagtail-2fa

Package

Name: wagtail-2fa; View open source insights on deps.dev
Purl: pkg:pypi/wagtail-2fa

Affected ranges

Type: GIT
Repo: https://github.com/labd/wagtail-2fa
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ac23550d33b7436e90e3beea904647907eba5b74

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.1

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.1.0

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/wagtail-2fa/PYSEC-2020-219.yaml"