Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: Low] wagtail Direct Request ('Forced Browsing') (due 1/23/25) #5972

Closed
cnlucas opened this issue Oct 26, 2023 · 1 comment
Closed

[Snyk: Low] wagtail Direct Request ('Forced Browsing') (due 1/23/25) #5972

cnlucas opened this issue Oct 26, 2023 · 1 comment
Assignees
@tmpayton
Labels
Security: general General security concern or issue Security: low Remediate within 90 days
Milestone
Sprint 23.6

Comments

@cnlucas
Copy link
Member

cnlucas commented Oct 26, 2023

Introduced through
wagtail@4.2.3
Fixed in
wagtail@4.1.9, @5.0.5, @5.1.3

Exploit maturity
No known exploit

Detailed paths and remediation

Introduced through: project@0.0.0 › wagtail@4.2.3
Fix: Upgrade wagtail to version 4.1.9 or 5.0.5 or 5.1.3

Security information
Factors contributing to the scoring:

Snyk: [CVSS 2.7](https://security.snyk.io/vuln/SNYK-PYTHON-WAGTAIL-6016491) - Low Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Direct Request ('Forced Browsing') through the admin bulk action views. An attacker can disclose user names by making a direct URL request.

Note:

This is only exploitable if the attacker has a limited-permission editor account for the Wagtail admin.
@cnlucas cnlucas added Security: low Remediate within 90 days Security: general General security concern or issue labels Oct 26, 2023
@cnlucas cnlucas added this to the Sprint 23.6 milestone Oct 26, 2023
@cnlucas cnlucas changed the title [Snyk: Low] wagtail Direct Request ('Forced Browsing') 1/23/25 [Snyk: Low] wagtail Direct Request ('Forced Browsing') (due 1/23/25) Oct 26, 2023
This was referenced Oct 26, 2023
Closed
Closed
@cnlucas cnlucas mentioned this issue Nov 8, 2023
Closed
3 tasks
@pkfec pkfec mentioned this issue Nov 15, 2023
Closed
2 tasks
@cnlucas cnlucas mentioned this issue Nov 22, 2023
Closed
3 tasks
This was referenced Nov 29, 2023
Closed
Closed
@cnlucas cnlucas mentioned this issue Dec 13, 2023
Closed
2 tasks
@cnlucas cnlucas mentioned this issue Dec 20, 2023
Closed
3 tasks
@tmpayton tmpayton self-assigned this Dec 21, 2023
@tmpayton
Copy link
Contributor

I tested using Priya's PR and upgrading to wagtail v5.2 removes this vulnerability.

Before:

image

After:

image

@tmpayton tmpayton mentioned this issue Dec 21, 2023
Merged
@pkfec pkfec mentioned this issue Dec 27, 2023
Closed
2 tasks
@pkfec pkfec mentioned this issue Jan 3, 2024
Closed
3 tasks
@tmpayton tmpayton closed this as completed Jan 9, 2024
This was referenced Jan 10, 2024
Closed
Closed
@pkfec pkfec mentioned this issue Jan 24, 2024
Closed
3 tasks
@JonellaCulmer JonellaCulmer mentioned this issue Jan 25, 2024
Closed
8 tasks
@cnlucas cnlucas mentioned this issue Jan 31, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tmpayton tmpayton

Labels
Security: general General security concern or issue Security: low Remediate within 90 days
Projects
Website project
Archived in project
Milestone
Sprint 23.6
Development

No branches or pull requests
2 participants
@cnlucas @tmpayton