Miggo Logo

CVE-2022-21683: Comment reply notifications sent to incorrect users

3.5

CVSS Score
3.1

Basic Information

EPSS Score
0.4462%
Published
1/21/2022
Updated
11/19/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
wagtailpip>= 2.13, < 2.15.22.15.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the thread_users query in send_commenting_notifications. The pre-patch code used:

  1. .exclude(Q(comment_replies__isnull=True) & Q(comments__isnull=True)) which incorrectly included all users who had ever commented anywhere. The patched version replaces this with:
  2. .filter(Q(comment_replies__comment_id__in=relevant_comment_ids) | Q(comments__pk__in=relevant_comment_ids)) restricting to actual thread participants. The test additions in test_edit_page.py verify this by ensuring users with comments on unrelated pages (never_emailed_user) are excluded from notifications.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n noti*i**tions *or n*w r*pli*s in *omm*nt t*r***s *r* s*nt, t**y *r* s*nt to *ll us*rs w*o **v* r*pli** or *omm*nt** *nyw**r* on t** sit*, r*t**r t**n only in t** r*l*v*nt t*r***s. T*is m**ns t**t * us*r *oul* list*n in to n*w *omm*nt

Reasoning

T** vuln*r**ility st*ms *rom t** t*r***_us*rs qu*ry in s*n*_*omm*ntin*_noti*i**tions. T** pr*-p*t** *o** us**: *. .*x*lu**(Q(*omm*nt_r*pli*s__isnull=Tru*) & Q(*omm*nts__isnull=Tru*)) w*i** in*orr**tly in*lu*** *ll us*rs w*o *** *v*r *omm*nt** *nyw**r