CVE-2019-16766 HIGH

CVE-2019-16766: 2FA bypass in Wagtail through new device path

Vendor Lab Digital
Product wagtail-2fa
Weakness CWE-304
Published November 29, 2019
Last update August 5, 2024

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0.

Key dates

02Disclosure timeline

November 29, 2019 CVE published
August 5, 2024 Record updated