CVE-2020-5240

Published: Mar 13, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

7.6

HIGH

Description

In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.

Vendor	Product	Versions
Lab Digital	wagtail-2fa	affected `< 1.4.1`

Weaknesses (CWE)

CWE-285

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

References

https://github.com/labd/wagtail-2fa/security/advisories/GHSA-9gjv-6qq6-v7qm

x_refsource_CONFIRM

https://github.com/labd/wagtail-2fa/commit/ac23550d33b7436e90e3beea904647907eba5b74

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-5240

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References