CVE-2020-5240

EPSS 0.16%
Veröffentlicht 13.03.2020 22:15:11
Zuletzt bearbeitet 21.11.2024 05:33:44
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Labdigital ≫ Wagtail-2fa Version < 1.4.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.375

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.5	3.1	4.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
nvd@nist.gov	5.5	8	4.9	AV:N/AC:L/Au:S/C:P/I:P/A:N
security-advisories@github.com	7.6	2.3	4.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/labd/wagtail-2fa/commit/ac23550d33b7436e90e3beea904647907eba5b74

Patch

Third Party Advisory

https://github.com/labd/wagtail-2fa/security/advisories/GHSA-9gjv-6qq6-v7qm

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-5240

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-5240

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-5240

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-5240