CVE-2020-5240

Published: Mar 13, 2020Modified: Nov 21, 2024

8.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Exploitability: 3.1 / Impact: 4.7

Source: NVD

Description

In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.

Affected (1)

Products: Labdigital: Wagtail 2fa

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Labdigital Wagtail 2fa	Before 1.4.1

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://github.com/labd/wagtail-2fa/commit/ac23550d33b7436e90e3beea904647907eba5b74

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/labd/wagtail-2fa/security/advisories/GHSA-9gjv-6qq6-v7qm

Source: security-advisories@github.com

Third Party Advisory

https://github.com/labd/wagtail-2fa/commit/ac23550d33b7436e90e3beea904647907eba5b74

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/labd/wagtail-2fa/security/advisories/GHSA-9gjv-6qq6-v7qm

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.