Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
2FA bypass through deleting devices in wagtail-2fa
Vulnerability Description
In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
Vulnerability Type
授权机制不恰当
Vulnerability Title
wagtail-2fa 授权问题漏洞
Vulnerability Description
wagtail-2fa是一款双因素验证软件包。 wagtail-2fa 1.4.1之前版本中存在授权问题漏洞,该漏洞源于程序对其他用户2FA设备的查看和删除功能没有要求特定的权限。远程攻击者可利用该漏洞关闭目标用户的2FA设备并可能入侵账户。
CVSS Information
N/A
Vulnerability Type
N/A