8.8
CVE-2019-16766
- EPSS 1.16%
- Veröffentlicht 29.11.2019 17:15:11
- Zuletzt bearbeitet 21.11.2024 04:31:08
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Login2FA bypass in Wagtail through new device path
When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Labdigital ≫ Wagtail-2fa Version < 1.3.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.16% | 0.631 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:P/I:N/A:N
|
| security-advisories@github.com | 8.7 | 2.3 | 5.8 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
|
CWE-290 Authentication Bypass by Spoofing
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
CWE-304 Missing Critical Step in Authentication
The product implements an authentication technique, but it skips a step that weakens the technique.
https://github.com/LabD/wagtail-2fa/security/advisories/GHSA-89px-ww3j-g2mm
https://github.com/labd/wagtail-2fa/commit/13b12995d35b566df08a17257a23863ab6efb0ca
https://github.com/labd/wagtail-2fa/commit/a6711b29711729005770ff481b22675b35ff5c81