CVE-2024-35228

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-35228

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35228.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-35228

Aliases

GHSA-xxfm-vmcf-g33f

Related

GHSA-xxfm-vmcf-g33f

Published

2024-05-30T19:15:16Z

Modified

2025-01-15T05:14:24.132996Z

Summary

[none]

Details

Wagtail is an open source content management system built on Django. Due to an improperly applied permission check in the wagtail.contrib.settings module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and update that setting, even when they have not been granted permission over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 6.0.5 and 6.1.2. Wagtail releases prior to 6.0 are unaffected. Users are advised to upgrade. Site owners who are unable to upgrade to a patched version can avoid the vulnerability in ModelViewSet by registering the model as a snippet instead. No workaround is available for wagtail.contrib.settings.

References

Affected packages

Git / github.com/wagtail/wagtail

Affected ranges

Type: GIT
Repo: https://github.com/wagtail/wagtail
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

284f75a6f91f7ab18cc304d7d34f33b559ae37b1

Fixed

284f75a6f91f7ab18cc304d7d34f33b559ae37b1

Affected versions

Other

after-modeladmin-fix

caltech-upgrade-point-1

v0.*

v0.1

v0.2

v0.3

v0.3.1

v0.4

v0.5

v0.6

v0.7

v0.8

v0.8.1

v1.*

v1.0b1

v1.0b2

v1.0rc1

v1.10rc1

v1.1rc1

v1.2rc1

v1.3rc1

v1.4rc1

v1.5rc1

v1.6rc1

v1.8rc1

v2.*

v2.0b1

v2.11.rc1

v2.16rc1

v2.1rc1

v2.2rc1

v2.8rc1

v4.*

v4.1rc1