CVE-2023-45809 Disclosure of user names via admin bulk action views in wagtail

2023-10-1918:33:26

CWE-425

CWE-200

GitHub_M

www.cve.org

disclosure

user names

admin view

wagtail

django

limited-permission

editor account

url request

bulk actions

authentication

error message

patched versions

upgrade

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

4.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.1%

JSON

Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "wagtail",
    "product": "wagtail",
    "versions": [
      {
        "version": "< 4.1.9",
        "status": "affected"
      },
      {
        "version": ">= 5.0.0, < 5.0.5",
        "status": "affected"
      },
      {
        "version": ">= 5.1.0, < 5.1.3",
        "status": "affected"
      }
    ]
  }
]