CVE-2020-5240

Опубликовано: 13 мар. 2020

Источник: nvd

CVSS3: 7.6

CVSS3: 8.5

CVSS2: 5.5

EPSS Низкий

Описание

In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.

Ссылки

https://github.com/labd/wagtail-2fa/commit/ac23550d33b7436e90e3beea904647907eba5b74
Patch
Third Party Advisory
https://github.com/labd/wagtail-2fa/security/advisories/GHSA-9gjv-6qq6-v7qm
Third Party Advisory
https://github.com/labd/wagtail-2fa/commit/ac23550d33b7436e90e3beea904647907eba5b74
Patch
Third Party Advisory
https://github.com/labd/wagtail-2fa/security/advisories/GHSA-9gjv-6qq6-v7qm
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:labdigital:wagtail-2fa:*:*:*:*:*:*:*:*

Версия до 1.4.1 (исключая)

EPSS

Процентиль: 37%

0.00161

Низкий

7.6 High

CVSS3

8.5 High

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-285

CWE-863

Связанные уязвимости

GHSA-9gjv-6qq6-v7qm

CVSS3: 7.6

github

почти 6 лет назад

2FA bypass through deleting devices in wagtail-2fa

EPSS

Процентиль: 37%

0.00161

Низкий

7.6 High

CVSS3

8.5 High

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-285

CWE-863