CVE-2019-16766
2FA bypass in Wagtail through new device path
8.7
HIGH
CVSS 3.1
EPSS 0.16%
Description
When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0.
How to fix CVE-2019-16766
To remediate CVE-2019-16766, upgrade the affected package to a fixed version below.
- —upgrade to 1.3.0 or later
- —upgrade to 13b12995d35b566df08a17257a23863ab6efb0ca or later
Is CVE-2019-16766 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.3.0
- from 0, < 13b12995d35b566df08a17257a23863ab6efb0ca, < a6711b29711729005770ff481b22675b35ff5c81 | from 0, < 1.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N |
| osv | CVSS 3.1 | HIGH8.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |