CVE-2019-16766: 2FA bypass in Wagtail through new device path
(updated )
If someone gains access to someone’s Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS.
References
- github.com/advisories/GHSA-89px-ww3j-g2mm
- github.com/labd/wagtail-2fa
- github.com/labd/wagtail-2fa/commit/13b12995d35b566df08a17257a23863ab6efb0ca
- github.com/labd/wagtail-2fa/commit/a6711b29711729005770ff481b22675b35ff5c81
- github.com/labd/wagtail-2fa/security/advisories/GHSA-89px-ww3j-g2mm
- github.com/pypa/advisory-database/tree/main/vulns/wagtail-2fa/PYSEC-2019-135.yaml
- nvd.nist.gov/vuln/detail/CVE-2019-16766
Code Behaviors & Features
Detect and mitigate CVE-2019-16766 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →