Homepage
About Snyk

Improper Handling of Insufficient Permissions or Privileges Affecting wagtail package, versions [,6.0.5) [6.1rc1,6.1.2)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-WAGTAIL-7172128
  • published 31 May 2024
  • disclosed 30 May 2024
  • credit Victor Miti
Report a new vulnerability Found a mistake?

Introduced: 30 May 2024

New CVE-2024-35228 Open this link in a new tab
CWE-280 Open this link in a new tab

How to fix?

Upgrade wagtail to version 6.0.5, 6.1.2 or higher.

Overview

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the wagtail.contrib.settings module. An attacker with access to the admin and knowledge of the URL of the edit view for a settings model can modify settings without proper permissions.

Workaround

This vulnerability can be mitigated in ModelViewSet by registering the model as a snippet instead. No workaround is available for wagtail.contrib.settings.

References

CVSS Scores

version 3.1
Expand this section

Snyk

5.5 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    High
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    High
  • Availability (A)
    None