CVE-2023-45809: 
Python vulnerability analysis and mitigation

A vulnerability was discovered in Wagtail, an open source content management system built on Django, identified as CVE-2023-45809. The vulnerability allows users with limited-permission editor accounts to access display names of user accounts through the admin bulk action views. This security issue was disclosed on October 19, 2023, affecting Wagtail versions <4.1.9, 4.2-5.0.4, and 5.1-5.1.2 (Vendor Advisory).

The vulnerability occurs when a user with limited permissions makes a direct URL request to the admin view that handles bulk actions on user accounts. While the authentication rules prevent unauthorized changes, the error message inadvertently discloses user account display names. By manipulating URL parameters, an attacker can retrieve display names for any user in the system. The vulnerability has been assigned a CVSS v3.1 base score of 2.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N (Vendor Advisory).

The impact of this vulnerability is limited to information disclosure, specifically the display names of user accounts. The vulnerability only affects users who have access to the Wagtail admin interface and cannot be exploited by ordinary site visitors without admin access (Vendor Advisory).

Patched versions have been released as Wagtail 4.1.9 (LTS), 5.0.5, and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. There are no known workarounds for this vulnerability, and users are advised to upgrade to the patched versions (Vendor Advisory).