QwikSec

Security Database

CVE

CWE

Training

CVE-2019-16766

Published: Nov 29, 2019

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.1

8.7

HIGH

Description

When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0.

Vendor	Product	Versions
Lab Digital	wagtail-2fa	affected `< 1.3.0 - < 1.3.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/LabD/wagtail-2fa/security/advisories/GHSA-89px-ww3j-g2mm

x_refsource_CONFIRM

https://github.com/labd/wagtail-2fa/commit/a6711b29711729005770ff481b22675b35ff5c81

x_refsource_MISC

https://github.com/labd/wagtail-2fa/commit/13b12995d35b566df08a17257a23863ab6efb0ca

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.