-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.xwiki.platform:xwiki-platform-messagestream | maven | >= 5.0, <= 16.7.1 |
Miggo AIRoot Cause AnalysisThe vulnerability (XWIKI-17154, GHSA-42fh-pvvh-999x) describes a situation where messages from a closed subwiki (configured to prevent viewing by unregistered users) become visible to unauthenticated users on a different wiki's dashboard via the Message Stream feature. The affected package is 'org.xwiki.platform:xwiki-platform-messagestream'. Since the vulnerability was not patched (Message Stream is deprecated), there are no commit details to analyze. The identification of the vulnerable function is based on an inference from the vulnerability's description and the typical architecture of XWiki components. The core issue lies in the Message Stream's data retrieval mechanism, which does not properly respect the source wiki's access controls when messages are fetched for display in a cross-wiki context by an unauthenticated user. A function like 'getEvents' within a service like 'DefaultMessageStreamService' (a plausible name and structure within the 'org.xwiki.platform.messagestream' package) would be responsible for fetching these messages and is therefore the likely location of the flawed logic. The confidence is 'medium' due to the lack of a specific patch or source code references in the provided information, requiring inference based on the described behavior and component.
Ongoing coverage of React2Shell