CVE-2020-5240
2FA bypass through deleting devices in wagtail-2fa
7.6
HIGH
CVSS 3.1
EPSS 0.17%
描述
In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.
如何修補 CVE-2020-5240
要修補 CVE-2020-5240,請將受影響套件升級到下列已修補版本。
- —升級至 1.4.1 或更新版本
- —升級至 ac23550d33b7436e90e3beea904647907eba5b74 或更新版本
CVE-2020-5240 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- from 0, < 1.4.1
- from 0, < ac23550d33b7436e90e3beea904647907eba5b74 | from 0, < 1.4.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N |
| osv | CVSS 3.1 | HIGH7.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N |