CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-39317 – Wagtail regular expression denial-of-service via search query parsing
https://notcve.org/view.php?id=CVE-2024-39317
Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. • https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2 https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797 https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2 https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-35228 – Improper Handling of Insufficient Permissions in Wagtail
https://notcve.org/view.php?id=CVE-2024-35228
Wagtail is an open source content management system built on Django. Due to an improperly applied permission check in the `wagtail.contrib.settings` module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and update that setting, even when they have not been granted permission over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 6.0.5 and 6.1.2. Wagtail releases prior to 6.0 are unaffected. • https://github.com/wagtail/wagtail/commit/284f75a6f91f7ab18cc304d7d34f33b559ae37b1 https://github.com/wagtail/wagtail/security/advisories/GHSA-xxfm-vmcf-g33f • CWE-280: Improper Handling of Insufficient Permissions or Privileges •