Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Comment reply notifications sent to incorrect users in wagtail
Vulnerability Description
Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not have editing access to, as long as they have left a comment or reply somewhere on the site. A patched version has been released as Wagtail 2.15.2, which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered). New comments can be disabled by setting `WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings file.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Torchbox Wagtail 信息泄露漏洞
Vulnerability Description
Torchbox Wagtail是英国Torchbox公司的一套开源的内容管理系统(CMS)。 Torchbox Wagtail 存在安全漏洞,该漏洞一个基于Django的内容管理系统,专注于灵活性和用户体验。当评论线程中的新回复通知被发送时,它们会被发送到所有在网站上任何地方回复或评论过的用户,而不仅仅是在相关线程中。这意味着用户可以在他们没有编辑权限的页面上收听新的评论回复,只要他们在网站的某个地方留下了评论或回复。一个补丁版本已经被发布为Wagtail 2.15.2,它恢复了预期的行为-发送新的回复
CVSS Information
N/A
Vulnerability Type
N/A