CVE-2019-16766

HIGH

wagtail-2fa < 1.3.0 - Authentication Bypass via URL Manipulation

Title source: llm

Description

When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0.

References (3)

Core 3

Core References

Third Party Advisory x_refsource_confirm

https://github.com/LabD/wagtail-2fa/security/advisories/GHSA-89px-ww3j-g2mm

Patch, Third Party Advisory x_refsource_misc

https://github.com/labd/wagtail-2fa/commit/a6711b29711729005770ff481b22675b35ff5c81

View Patch ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://github.com/labd/wagtail-2fa/commit/13b12995d35b566df08a17257a23863ab6efb0ca

View Patch ZIP pw:eip

Scores

CVSS v3 8.7

EPSS 0.0116

EPSS Percentile 63.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Details

CWE

CWE-290 CWE-304

Status published

Products (2)

labdigital/wagtail-2fa < 1.3.0

pypi/wagtail-2fa 0 - 1.3.0PyPI

Published Nov 29, 2019

Tracked Since Feb 18, 2026