-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| universal-omega/dynamic-page-list3 | composer | < 3.6.4 | 3.6.4 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in the DynamicPageList3 extension's failure to respect user visibility flags (hidden or suppressed users) in multiple functions. The root cause is twofold:
Direct Username Exposure: The DynamicPageList3\Article::newFromRow function was responsible for fetching and displaying user information like the author or last editor. It directly retrieved usernames from the database without checking if the user account was hidden or if the specific revision had the user's name suppressed. This caused the direct leakage of hidden usernames in the output of DPL queries using parameters like adduser, addauthor, and addcontribution.
Indirect Information Leakage: A set of private methods within the DynamicPageList3\Query class (_createdby, _modifiedby, _lastmodifiedby, and their 'not' counterparts) were used to filter pages based on user activity. These functions accepted usernames as input but failed to check if the user was hidden before building the database query. This allowed an attacker to use these filters to confirm the activity of a hidden user, thereby indirectly leaking information about their contributions.
The provided patch addresses both issues. It modifies Article::newFromRow to check for hidden and revision-deleted users and return a generic message instead of the username. It also adds checks in the Query methods to stop processing if the query involves a hidden user, preventing the indirect information leak.