Vulnerabilities > CVE-2020-5240 - Incorrect Authorization vulnerability in Labdigital Wagtail-2Fa

CVSS 8.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

labdigital

CWE-863

NVD

Published: 2020-03-13

Updated: 2020-03-18

Summary

In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.

Vulnerable Configurations

Part	Description	Count
Application	Labdigital Labdigital Wagtail 2FA 0.0.1 Labdigital Wagtail 2FA 0.0.2 Labdigital Wagtail 2FA 0.0.3 Labdigital Wagtail 2FA 0.1.0 Labdigital Wagtail 2FA 1.0.0 Labdigital Wagtail 2FA 1.0.1 Labdigital Wagtail 2FA 1.1.0 Labdigital Wagtail 2FA 1.2.0 Labdigital Wagtail 2FA 1.3.0 Labdigital Wagtail 2FA 1.3.1 Labdigital Wagtail 2FA 1.3.2 Labdigital Wagtail 2FA 1.3.3 Labdigital Wagtail 2FA 1.3.4 Labdigital Wagtail 2FA 1.4.0	14

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References