CVE-2022-21683 is a medium-severity vulnerability affecting the Wagtail content management system (CMS), which is built on the Django framework and widely used for its flexibility and user experience. The vulnerability arises from improper handling of notification recipients for new replies in comment threads. Specifically, when a new reply is posted, Wagtail versions from 2.13 up to but not including 2.15.2 send notifications to all users who have previously commented anywhere on the site, rather than limiting notifications to participants of the specific comment thread. This behavior results in unauthorized exposure of sensitive information, as users can receive notifications about discussions on pages or threads they do not have editing access to and may not be authorized to monitor. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The issue does not require elevated privileges or authentication beyond having commented once on the site, and no user interaction beyond receiving notifications is necessary. The flaw was addressed in Wagtail version 2.15.2, which restored the intended behavior of restricting notifications to participants of the active thread only, regardless of editing permissions. Additionally, disabling comments entirely via the Django setting `WAGTAILADMIN_COMMENTS_ENABLED = False` can mitigate the issue by preventing comment notifications altogether. There are no known exploits in the wild, and no CVSS score has been assigned to this vulnerability. The impact primarily concerns confidentiality, as unauthorized users can gain insight into ongoing discussions and potentially sensitive content through notifications. Integrity and availability are not directly affected by this vulnerability.

For European organizations using affected versions of Wagtail CMS, this vulnerability poses a risk of unintended information disclosure. Sensitive internal discussions or feedback on web pages could be leaked to unauthorized users who have previously commented elsewhere on the site. This could lead to breaches of confidentiality, especially in sectors handling sensitive data such as government, finance, healthcare, and critical infrastructure. The exposure could undermine trust in the organization's information governance and compliance with data protection regulations like GDPR, which mandates strict controls over personal and sensitive data. While the vulnerability does not allow modification or deletion of data, the leakage of discussion content could reveal strategic plans, internal issues, or personal information. Organizations with public-facing Wagtail sites that allow user comments are particularly at risk, as any user who has commented once could receive notifications about unrelated threads. This could also facilitate social engineering or targeted phishing attacks by providing attackers with insights into internal conversations or stakeholder interactions.

1. Upgrade affected Wagtail installations to version 2.15.2 or later, where the notification logic has been corrected to restrict notifications to participants of the relevant comment thread only. 2. If immediate upgrading is not feasible, consider disabling comments entirely by setting `WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings to prevent comment notifications and thus eliminate the exposure vector. 3. Review and audit user comment permissions and history to identify users who may have received unauthorized notifications and assess potential information leakage. 4. Implement monitoring and alerting on unusual notification patterns or user activity related to comment threads to detect potential exploitation attempts. 5. Educate content managers and administrators about the vulnerability and encourage prompt patching and configuration changes. 6. For organizations with strict confidentiality requirements, consider restricting commenting functionality to authenticated and authorized users only, reducing the risk of unauthorized notification recipients. 7. Regularly review and update Wagtail and Django dependencies to incorporate security patches and improvements.