CVE-2023-45809

Disclosure of user names via admin bulk action views in wagtail

Severity Score

2.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Wagtail es un sistema de gestión de contenidos de código abierto construido sobre Django. Un usuario con una cuenta de editor con permisos limitados para el administrador de Wagtail puede realizar una solicitud de URL directa a la vista de administrador que maneja acciones masivas en cuentas de usuario. Si bien las reglas de autenticación impiden que el usuario realice cambios, el mensaje de error revela los nombres para mostrar de las cuentas de usuario y, al modificar los parámetros de URL, el usuario puede recuperar el nombre para mostrar de cualquier usuario. La vulnerabilidad no es explotable por un visitante normal del sitio sin acceso al administrador de Wagtail. Se han lanzado versiones parcheadas como Wagtail 4.1.8 (LTS), 5.0.5 y 5.1.3. La solución también se incluye en la versión candidata 1 de la próxima versión Wagtail 5.2. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

*Credits: N/A

CVSS Scores

NISTv3.1 2.7

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-10-13 CVE Reserved
2023-10-19 CVE Published
2024-08-02 CVE Updated
2024-10-25 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-425: Direct Request ('Forced Browsing')
CWE-532: Insertion of Sensitive Information into Log File

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b	2023-12-28

URL	Date	SRC
https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h	2023-12-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Torchbox Search vendor "Torchbox"		Wagtail Search vendor "Torchbox" for product "Wagtail"				< 4.1.9 Search vendor "Torchbox" for product "Wagtail" and version " < 4.1.9"		-		Affected
Torchbox Search vendor "Torchbox"		Wagtail Search vendor "Torchbox" for product "Wagtail"				>= 4.2 < 5.0.5 Search vendor "Torchbox" for product "Wagtail" and version " >= 4.2 < 5.0.5"		-		Affected
Torchbox Search vendor "Torchbox"		Wagtail Search vendor "Torchbox" for product "Wagtail"				>= 5.1 < 5.1.3 Search vendor "Torchbox" for product "Wagtail" and version " >= 5.1 < 5.1.3"		-		Affected