CVE-2022-21683: Comment reply notifications sent to incorrect users
(updated )
When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not had editing access to, as long as they have left a comment or reply somewhere on the site.
References
- github.com/advisories/GHSA-xqxm-2rpm-3889
- github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2022-13.yaml
- github.com/wagtail/wagtail
- github.com/wagtail/wagtail/commit/5fe901e5d86ed02dbbb63039a897582951266afd
- github.com/wagtail/wagtail/releases/tag/v2.15.2
- github.com/wagtail/wagtail/security/advisories/GHSA-xqxm-2rpm-3889
- nvd.nist.gov/vuln/detail/CVE-2022-21683
Code Behaviors & Features
Detect and mitigate CVE-2022-21683 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →