Homepage
About Snyk

Direct Request ('Forced Browsing') Affecting wagtail package, versions [,4.1.9) [4.2,5.0.5) [5.1,5.1.3)

Severity

 Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-WAGTAIL-6016491
  • published 20 Oct 2023
  • disclosed 19 Oct 2023
  • credit quyenheu
Report a new vulnerability Found a mistake?

Introduced: 19 Oct 2023

CVE-2023-45809 Open this link in a new tab
CWE-425 Open this link in a new tab

How to fix?

Upgrade wagtail to version 4.1.9, 5.0.5, 5.1.3 or higher.

Overview

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Direct Request ('Forced Browsing') through the admin bulk action views. An attacker can disclose user names by making a direct URL request.

Note:

This is only exploitable if the attacker has a limited-permission editor account for the Wagtail admin.

CVSS Scores

version 3.1
Expand this section

Snyk

2.7 low
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    High
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

2.7 low