{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54707?format=json","vulnerability_id":"VCID-dw47-n3f3-ffa2","summary":"Wagtail has permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet`\nIf a model has been made available for editing through the [`wagtail.contrib.settings`](https://docs.wagtail.org/en/stable/reference/contrib/settings.html) module or [`ModelViewSet`](https://docs.wagtail.org/en/stable/extending/generic_views.html#modelviewset), and the [`permission` argument on `FieldPanel`](https://docs.wagtail.org/en/stable/reference/pages/panels.html#wagtail.admin.panels.FieldPanel.permission) has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific field can craft an HTTP POST request that bypasses the permission check on the individual field, allowing them to update its value.\n\nThe vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, or by a user who has not been granted edit access to the model in question. The editing interfaces for pages and snippets are also unaffected.","aliases":[{"alias":"CVE-2024-32882"},{"alias":"GHSA-w2v8-php4-p8hc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41857?format=json","purl":"pkg:pypi/wagtail@6.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22sk-jw8g-byek"},{"vulnerability":"VCID-39ey-uzfk-8qh3"},{"vulnerability":"VCID-8vb4-y953-b7dp"},{"vulnerability":"VCID-ehpx-45mk-kya5"},{"vulnerability":"VCID-esy5-hesv-zyf7"},{"vulnerability":"VCID-k7jj-wh5a-kudh"},{"vulnerability":"VCID-kphk-eqcu-fuhd"},{"vulnerability":"VCID-mj1d-3up9-2bbs"},{"vulnerability":"VCID-rks7-49ud-u7g2"},{"vulnerability":"VCID-vzg1-msbd-g3hm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/50259?format=json","purl":"pkg:pypi/wagtail@6.1rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22sk-jw8g-byek"},{"vulnerability":"VCID-39ey-uzfk-8qh3"},{"vulnerability":"VCID-8vb4-y953-b7dp"},{"vulnerability":"VCID-esy5-hesv-zyf7"},{"vulnerability":"VCID-kphk-eqcu-fuhd"},{"vulnerability":"VCID-mj1d-3up9-2bbs"},{"vulnerability":"VCID-rks7-49ud-u7g2"},{"vulnerability":"VCID-vzg1-msbd-g3hm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.1rc1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81144?format=json","purl":"pkg:pypi/wagtail@6.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dw47-n3f3-ffa2"},{"vulnerability":"VCID-ehpx-45mk-kya5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/41854?format=json","purl":"pkg:pypi/wagtail@6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22sk-jw8g-byek"},{"vulnerability":"VCID-39ey-uzfk-8qh3"},{"vulnerability":"VCID-8vb4-y953-b7dp"},{"vulnerability":"VCID-dw47-n3f3-ffa2"},{"vulnerability":"VCID-ehpx-45mk-kya5"},{"vulnerability":"VCID-esy5-hesv-zyf7"},{"vulnerability":"VCID-k7jj-wh5a-kudh"},{"vulnerability":"VCID-kphk-eqcu-fuhd"},{"vulnerability":"VCID-mj1d-3up9-2bbs"},{"vulnerability":"VCID-rks7-49ud-u7g2"},{"vulnerability":"VCID-vzg1-msbd-g3hm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.0"},{"url":"http://public2.vulnerablecode.io/api/packages/41855?format=json","purl":"pkg:pypi/wagtail@6.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22sk-jw8g-byek"},{"vulnerability":"VCID-39ey-uzfk-8qh3"},{"vulnerability":"VCID-8vb4-y953-b7dp"},{"vulnerability":"VCID-dw47-n3f3-ffa2"},{"vulnerability":"VCID-ehpx-45mk-kya5"},{"vulnerability":"VCID-esy5-hesv-zyf7"},{"vulnerability":"VCID-k7jj-wh5a-kudh"},{"vulnerability":"VCID-kphk-eqcu-fuhd"},{"vulnerability":"VCID-mj1d-3up9-2bbs"},{"vulnerability":"VCID-rks7-49ud-u7g2"},{"vulnerability":"VCID-vzg1-msbd-g3hm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/41856?format=json","purl":"pkg:pypi/wagtail@6.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22sk-jw8g-byek"},{"vulnerability":"VCID-39ey-uzfk-8qh3"},{"vulnerability":"VCID-8vb4-y953-b7dp"},{"vulnerability":"VCID-dw47-n3f3-ffa2"},{"vulnerability":"VCID-ehpx-45mk-kya5"},{"vulnerability":"VCID-esy5-hesv-zyf7"},{"vulnerability":"VCID-k7jj-wh5a-kudh"},{"vulnerability":"VCID-kphk-eqcu-fuhd"},{"vulnerability":"VCID-mj1d-3up9-2bbs"},{"vulnerability":"VCID-rks7-49ud-u7g2"},{"vulnerability":"VCID-vzg1-msbd-g3hm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.0.2"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32882","reference_id":"","reference_type":"","scores":[{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24272","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24326","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24345","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32882"},{"reference_url":"https://docs.wagtail.org/en/stable/extending/generic_views.html#modelviewset","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T13:08:02Z/"}],"url":"https://docs.wagtail.org/en/stable/extending/generic_views.html#modelviewset"},{"reference_url":"https://docs.wagtail.org/en/stable/reference/contrib/settings.html","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T13:08:02Z/"}],"url":"https://docs.wagtail.org/en/stable/reference/contrib/settings.html"},{"reference_url":"https://docs.wagtail.org/en/stable/reference/pages/panels.html#wagtail.admin.panels.FieldPanel.permission","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T13:08:02Z/"}],"url":"https://docs.wagtail.org/en/stable/reference/pages/panels.html#wagtail.admin.panels.FieldPanel.permission"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/ab2a5d82b4ee3c909d2456704388ccf90e367c9b","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T13:08:02Z/"}],"url":"https://github.com/wagtail/wagtail/commit/ab2a5d82b4ee3c909d2456704388ccf90e367c9b"},{"reference_url":"https://github.com/wagtail/wagtail/commit/fa0d4829f9c81eefb37cc058e2fa1b6a918741da","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/fa0d4829f9c81eefb37cc058e2fa1b6a918741da"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v6.0.3","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v6.0.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32882","reference_id":"CVE-2024-32882","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32882"},{"reference_url":"https://github.com/advisories/GHSA-w2v8-php4-p8hc","reference_id":"GHSA-w2v8-php4-p8hc","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w2v8-php4-p8hc"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-w2v8-php4-p8hc","reference_id":"GHSA-w2v8-php4-p8hc","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T13:08:02Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-w2v8-php4-p8hc"}],"weaknesses":[{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":280,"name":"Improper Handling of Insufficient Permissions or Privileges ","description":"The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state."},{"cwe_id":281,"name":"Improper Preservation of Permissions","description":"The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended."}],"exploits":[],"severity_range_score":"0.1 - 3","exploitability":"0.5","weighted_severity":"2.7","risk_score":1.4,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dw47-n3f3-ffa2"}