cnlucas
commented
5 months ago https://github.com/advisories/GHSA-xxfm-vmcf-g33f
Wagtail versions below 6.0 are not affected, we are currently on 5.2
Closed tmpayton closed 5 months ago
cnlucas
commented
5 months ago https://github.com/advisories/GHSA-xxfm-vmcf-g33f
Wagtail versions below 6.0 are not affected, we are currently on 5.2
Affecting wagtail package, versions [,6.0.5) [6.1rc1,6.1.2)
How to fix? Upgrade wagtail to version 6.0.5, 6.1.2 or higher.
Overview wagtail is an open source content management system built on Django.
Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the wagtail.contrib.settings module. An attacker with access to the admin and knowledge of the URL of the edit view for a settings model can modify settings without proper permissions.
Workaround This vulnerability can be mitigated in ModelViewSet by registering the model as a snippet instead. No workaround is available for wagtail.contrib.settings.
References GitHub Commit
Completion Criteria