Lucene search

K
cve[email protected]CVE-2023-45809
HistoryOct 19, 2023 - 7:15 p.m.

CVE-2023-45809

2023-10-1919:15:15
CWE-532
CWE-425
CWE-200
web.nvd.nist.gov
48
wagtail
cve-2023-45809
content management system
django
user account
security
vulnerability
patch
upgrade

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

3.9 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.0%

Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners
NVD
Node
wagtailwagtailRange<4.1.9
OR
wagtailwagtailRange5.0.05.0.5
OR
wagtailwagtailRange5.1.05.1.3

CNA Affected

[
  {
    "vendor": "wagtail",
    "product": "wagtail",
    "versions": [
      {
        "version": "< 4.1.9",
        "status": "affected"
      },
      {
        "version": ">= 5.0.0, < 5.0.5",
        "status": "affected"
      },
      {
        "version": ">= 5.1.0, < 5.1.3",
        "status": "affected"
      }
    ]
  }
]

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

3.9 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.0%

Related for CVE-2023-45809