Fixed Multi-Factor Authentication bypass vulnerability (CVE-2024-4215). #7425

2025-02-25 18:55:31 -06:00 · 2024-04-29 13:41:02 +05:30
parent e18a8bf620
commit f4761f55f7
35 changed files with 309 additions and 271 deletions
--- a/web/pgadmin/tools/user_management/init.py
+++ b/web/pgadmin/tools/user_management/init.py
@@ -13,7 +13,8 @@ import json
 from flask import render_template, request, \
    Response, abort, current_app, session
 from flask_babel import gettext as _
-from flask_security import login_required, roles_required, current_user
+from flask_security import roles_required, current_user
+from pgadmin.user_login_check import pga_login_required
 from flask_security.utils import hash_password
 from werkzeug.exceptions import InternalServerError

@@ -73,13 +74,13 @@ blueprint = UserManagementModule(


@blueprint.route("/")
-@login_required
+@pga_login_required
 def index():
    return bad_request(errormsg=_("This URL cannot be called directly."))


@blueprint.route("/user_management.js")
-@login_required
+@pga_login_required
 def script():
    """render own javascript"""
    return Response(
@@ -95,7 +96,7 @@ def script():

@blueprint.route("/current_user.js")
@pgCSRFProtect.exempt
-@login_required
+@pga_login_required
 def current_user_info():
    return Response(
        response=render_template(