Lucene search

K
cve[email protected]CVE-2020-5240
HistoryMar 13, 2020 - 10:15 p.m.

CVE-2020-5240

2020-03-1322:15:11
CWE-863
CWE-285
web.nvd.nist.gov
118
cve-2020-5240
wagtail-2fa
unauthorized access
2fa devices
vulnerability
nvd

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

8.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

8.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.4%

In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.

Affected configurations

Vulners
NVD
Node
lab_digitalwagtail_2faRange<1.4.1

CNA Affected

[
  {
    "product": "wagtail-2fa",
    "vendor": "Lab Digital",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.4.1"
      }
    ]
  }
]

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

8.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

8.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.4%

Related for CVE-2020-5240