You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
2FA bypass in Wagtail through new device path
High severity
GitHub Reviewed
Published
Nov 28, 2019
in
labd/wagtail-2fa
•
Updated Jan 9, 2023
If someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS.
Patches
This problem has been patched in version 1.3.0.
Workarounds
There is no workaround at the moment.
For more information
If you have any questions or comments about this advisory:
2FA bypass through new device path
Impact
If someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS.
Patches
This problem has been patched in version 1.3.0.
Workarounds
There is no workaround at the moment.
For more information
If you have any questions or comments about this advisory:
References