Improper Authorization Affecting wagtail package, versions [6.0,6.0.3)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-WAGTAIL-6751729
- published 2 May 2024
- disclosed 2 May 2024
- credit Ben Morse, Joshua Munn
Introduced: 2 May 2024
CVE-2024-32882 Open this link in a new tabHow to fix?
Upgrade wagtail to version 6.0.3 or higher.
Overview
wagtail is an open source content management system built on Django.
Affected versions of this package are vulnerable to Improper Authorization through wagtail.contrib.settings or ModelViewSet with restricted access configured via the permission argument on FieldPanel.
An attacker with edit permissions on the model but not on specific fields can craft an HTTP POST request that bypasses the permission checks for individual fields, allowing unauthorized modification of their values.
Note
This issue does not affect ordinary site visitors without Wagtail admin access or users without edit permissions on the model. The editing interfaces for pages and snippets are also unaffected.
Workaround
This vulnerability can be mitigated by either registering the model as a snippet instead of through ModelViewSet for models registered through ModelViewSet, or by placing the restricted fields in a separate settings model and configuring permission at the model level for settings models.