Improper Authorization Affecting wagtail package, versions [6.0,6.0.3)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-WAGTAIL-6751729
- published2 May 2024
- disclosed2 May 2024
- creditBen Morse, Joshua Munn
Introduced: 2 May 2024
CVE-2024-32882 (opens in a new tab)How to fix?
Upgrade wagtail to version 6.0.3 or higher.
Overview
wagtail is an open source content management system built on Django.
Affected versions of this package are vulnerable to Improper Authorization through wagtail.contrib.settings or ModelViewSet with restricted access configured via the permission argument on FieldPanel.
An attacker with edit permissions on the model but not on specific fields can craft an HTTP POST request that bypasses the permission checks for individual fields, allowing unauthorized modification of their values.
Note
This issue does not affect ordinary site visitors without Wagtail admin access or users without edit permissions on the model. The editing interfaces for pages and snippets are also unaffected.
Workaround
This vulnerability can be mitigated by either registering the model as a snippet instead of through ModelViewSet for models registered through ModelViewSet, or by placing the restricted fields in a separate settings model and configuring permission at the model level for settings models.