CVE-2020-5240
2FA bypass through deleting devices in wagtail-2fa
7.6
HIGH
CVSS 3.1
EPSS 0.17%
Description
In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.
How to fix CVE-2020-5240
To remediate CVE-2020-5240, upgrade the affected package to a fixed version below.
- —upgrade to 1.4.1 or later
- —upgrade to ac23550d33b7436e90e3beea904647907eba5b74 or later
Is CVE-2020-5240 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.4.1
- from 0, < ac23550d33b7436e90e3beea904647907eba5b74 | from 0, < 1.4.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N |
| osv | CVSS 3.1 | HIGH7.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N |