CVE-2023-45809

Published: Oct 19, 2023

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

2.7

LOW

Description

Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vendor	Product	Versions
wagtail	wagtail	affected `< 4.1.9` affected `>= 5.0.0, < 5.0.5` affected `>= 5.1.0, < 5.1.3`

Weaknesses (CWE)

CWE-200

CWE-425

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h

x_refsource_CONFIRM

https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-45809

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References