Lucene search

K
cve[email protected]CVE-2019-16766
HistoryNov 29, 2019 - 5:15 p.m.

CVE-2019-16766

2019-11-2917:15:11
CWE-290
CWE-304
web.nvd.nist.gov
47
cve-2019-16766
wagtail-2fa
access control
2fa bypass
cms security
vulnerability patch

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.9%

When using wagtail-2fa before 1.3.0, if someone gains access to someone’s Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0.

Affected configurations

Vulners
NVD
Node
lab_digitalwagtail_2faRange<1.3.0

CNA Affected

[
  {
    "product": "wagtail-2fa",
    "vendor": "Lab Digital",
    "versions": [
      {
        "lessThan": "1.3.0",
        "status": "affected",
        "version": "< 1.3.0",
        "versionType": "custom"
      }
    ]
  }
]

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.9%

Related for CVE-2019-16766