Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-45809

Good to know:

icon
icon

Date: October 19, 2023

Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Python

Severity Score

Related Resources (4)

https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b
https://nvd.nist.gov/vuln/detail/CVE-2023-45809
https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h
https://www.mend.io/vulnerability-database/CVE-2023-45809

Severity Score

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Information Exposure Through Log Files

CWE-532

Direct Request ('Forced Browsing')

CWE-425

Top Fix

icon

Upgrade Version

Upgrade to version wagtail - 4.1.9,5.0.5,5.1.3

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): HIGH
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us