Moderate severityNVD Advisory· Published Nov 29, 2019· Updated Aug 5, 2024
2FA bypass in Wagtail through new device path
CVE-2019-16766
Description
When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wagtail-2faPyPI | < 1.3.0 | 1.3.0 |
Affected products
2- Lab Digital/wagtail-2fav5Range: < 1.3.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-89px-ww3j-g2mmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16766ghsaADVISORY
- github.com/LabD/wagtail-2fa/security/advisories/GHSA-89px-ww3j-g2mmmitrex_refsource_CONFIRM
- github.com/labd/wagtail-2fa/commit/13b12995d35b566df08a17257a23863ab6efb0caghsax_refsource_MISCWEB
- github.com/labd/wagtail-2fa/commit/a6711b29711729005770ff481b22675b35ff5c81ghsax_refsource_MISCWEB
- github.com/labd/wagtail-2fa/security/advisories/GHSA-89px-ww3j-g2mmghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/wagtail-2fa/PYSEC-2019-135.yamlghsaWEB
News mentions
0No linked articles in our index yet.