SCA: security update for wagtail (GHSA-xxfm-vmcf-g33f)

medium Tenable Cloud Security Plugin ID 420743

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Wagtail is an open source content management system built on Django. Due to an improperly applied
permission check in the `wagtail.contrib.settings` module, a user with access to the Wagtail admin and
knowledge of the URL of the edit view for a settings model can access and update that setting, even when
they have not been granted permission over the model. The vulnerability is not exploitable by an ordinary
site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 6.0.5 and
6.1.2. Wagtail releases prior to 6.0 are unaffected. Users are advised to upgrade. Site owners who are
unable to upgrade to a patched version can avoid the vulnerability in `ModelViewSet` by registering the
model as a snippet instead. No workaround is available for `wagtail.contrib.settings`. (CVE-2024-35228)

See Also

https://github.com/advisories/GHSA-xxfm-vmcf-g33f

Plugin Details

Severity: Medium

ID: 420743

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 51.76

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:M/C:P/I:C/A:N

CVSS Score Source: CVE-2024-35228

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/2/2024

Vulnerability Publication Date: 5/30/2024

Reference Information

CVE: CVE-2024-35228

cwe: CWE-280