Direct Request ('Forced Browsing') in wagtail

#VU82274 Direct Request ('Forced Browsing') in wagtail

Published: 2023-10-20

Vulnerability identifier: #VU82274

Vulnerability risk: Low

CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-45809

CWE-ID: CWE-425

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
wagtail
Web applications / CMS

Vendor: Torchbox

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to improper access control. A remote administrator can make a direct URL request to the admin view that handles bulk actions on user accounts and gain access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

wagtail: 4.1 - 5.1.2

External links
http://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h
http://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Wagtail