#VU82274 Direct Request ('Forced Browsing') in wagtail - CVE-2023-45809

Cybersecurity Help s.r.o.

Published: 2023-10-20

Vulnerability identifier: #VU82274

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-45809

CWE-ID: CWE-425

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
wagtail
Web applications / CMS

Vendor: Torchbox

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to improper access control. A remote administrator can make a direct URL request to the admin view that handles bulk actions on user accounts and gain access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

wagtail: 4.1 - 5.1.2

External links
https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h
https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Wagtail