Bypass of permission check on individual fields in Wagtail models
CVE-2024-32882
What is CVE-2024-32882?
Wagtail, a popular open-source content management system based on Django, is susceptible to an authorization bypass flaw in certain versions. This issue arises when a model exposed for editing utilizes the wagtail.contrib.settings module or ModelViewSet, especially when access to specific fields is restricted using the permission parameter on FieldPanel. A user with edit rights over the model but lacking specific field permissions can manipulate an HTTP POST request to bypass these checks, potentially altering sensitive field values without proper authorization. It's important to note that this vulnerability cannot be exploited by general site visitors or users without edit permissions on the model in question. Affected users are encouraged to update to patched versions (Wagtail 6.0.3 and 6.1) promptly to secure their systems. For those unable to upgrade, recommended mitigation approaches include registering the model as a snippet for ModelViewSet, or configuring limited fields in a distinct settings model to enforce model-level permissions.
Affected Version(s)
wagtail >= 6.0.0, < 6.0.3