The vulnerability described is a missing authorization check when listing attachments via REST API endpoints. The primary commit 'a43e933ddeda17dad1772396e1757998260e9342' shows that the getAttachments method in org.xwiki.rest.internal.resources.BaseAttachmentsResource was modified to add an explicit authorization check (.filter(a -> authorization.hasAccess(Right.VIEW, a.getReference()))). This indicates that, prior to this patch, this method did not correctly filter attachments based on user rights, which is the core of the vulnerability.

The getAttachments methods in the concrete resource implementation classes (AttachmentsResourceImpl, SpaceAttachmentsResourceImpl, and WikiAttachmentsResourceImpl) are the public-facing REST API handlers. These methods call super.getAttachments(...), which refers to the method in BaseAttachmentsResource. Therefore, these subclass methods were vulnerable because they utilized the flawed BaseAttachmentsResource.getAttachments method. The patch to the base class effectively remediated the vulnerability for all these public endpoints. These functions would appear in a runtime profile when the vulnerability is triggered, as they are part of the call chain processing the request and returning the unfiltered attachment list.