CVE Vulnerability

CVE-2020-5240

In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.

5.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

8.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/labd/wagtail-2fa/commit/ac23550d33b7436e90e3beea904647907eba5b74 Patch Third Party Advisory
https://github.com/labd/wagtail-2fa/security/advisories/GHSA-9gjv-6qq6-v7qm Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:labdigital:wagtail-2fa:*:*:*:*:*:*:*:*
Information

Published : 2020-03-13 10:15

Updated : 2020-03-18 07:25

NVD link : CVE-2020-5240

Mitre link : CVE-2020-5240

Products Affected
No products.
CWE
CWE-863