Moderate severityNVD Advisory· Published Mar 13, 2020· Updated Aug 4, 2024
2FA bypass through deleting devices in wagtail-2fa
CVE-2020-5240
Description
In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wagtail-2faPyPI | < 1.4.1 | 1.4.1 |
Affected products
2- Lab Digital/wagtail-2fav5Range: < 1.4.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-9gjv-6qq6-v7qmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-5240ghsaADVISORY
- github.com/labd/wagtail-2fa/commit/ac23550d33b7436e90e3beea904647907eba5b74ghsax_refsource_MISCWEB
- github.com/labd/wagtail-2fa/security/advisories/GHSA-9gjv-6qq6-v7qmghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/wagtail-2fa/PYSEC-2020-219.yamlghsaWEB
News mentions
0No linked articles in our index yet.