Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2019-16766

Good to know:

icon
icon

Date: November 29, 2019

When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0.

Language: Python

Severity Score

Related Resources (8)

https://github.com/labd/wagtail-2fa/security/advisories/GHSA-89px-ww3j-g2mm
https://github.com/labd/wagtail-2fa/commit/a6711b29711729005770ff481b22675b35ff5c81
https://nvd.nist.gov/vuln/detail/CVE-2019-16766
https://github.com/labd/wagtail-2fa/commit/13b12995d35b566df08a17257a23863ab6efb0ca
https://github.com/labd/wagtail-2fa
https://github.com/pypa/advisory-database/tree/main/vulns/wagtail-2fa/PYSEC-2019-135.yaml
https://github.com/advisories/GHSA-89px-ww3j-g2mm
https://www.mend.io/vulnerability-database/CVE-2019-16766

Severity Score

Weakness Type (CWE)

Insufficient Information

NVD-CWE-noinfo

Insufficiently Protected Credentials

CWE-522

Authentication Bypass by Spoofing

CWE-290

Missing Critical Step in Authentication

CWE-304

Top Fix

icon

Upgrade Version

Upgrade to version 1.3.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): HIGH
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): SINGLE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us