PyPi: Wagtail-2fa

CVE-2019-16766

Safety vulnerability ID: 41209

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 29, 2019 Updated at Dec 10, 2024
Scan your Python projects for vulnerabilities →

Advisory

Wagtail-2fa version 1.3.0 includes a fix for CVE-2019-16766: When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS.

Affected package

wagtail-2fa

Latest version: 1.6.9

Two factor authentication for Wagtail

Affected versions

Fixed versions

Vulnerability changelog

==================
- Add OtpRequiredMixin to enforce OTP checks in views
- Resolve possible vulnerabilities:
- [CWE-290](http://cwe.mitre.org/data/definitions/290.html)
- [CWE-20](http://cwe.mitre.org/data/definitions/20.html)

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 8.8

CVSS v3 Details

HIGH 8.8
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
LOW
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
HIGH

CVSS v2 Details

MEDIUM 4.0
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
SINGLE
Confidentiality Impact (C)
PARTIAL
Integrity Impact (I)
NONE
Availability Impact (A)
NONE