XWiki Platform Message Stream Data Leakage Vulnerability

A vulnerability allowing data leakage through the Message Stream feature has been identified in XWiki Platform versions 5.0 prior to 16.7.1. This issue affects users with Message Stream enabled and who have set their wiki to prevent unregistered users from viewing pages. In this scenario, messages sent to 'everyone' in a subwiki are visible to all visitors of the main wiki, regardless of the subwiki's privacy settings. This occurs because the messages are broadcasted to the entire farm and can be accessed through the main wiki's Dashboard.

Impact

Exploitation of this vulnerability allows unregistered users to view 'public' messages from closed wikis via notifications from other wikis, creating an unintended data exposure.

Reproduction

To reproduce this vulnerability, log into an XWiki instance as an admin and create a subwiki. In the subwiki's administration settings, enable the Message Stream feature and configure the wiki to prevent unregistered users from viewing pages. After sending a message to 'everyone' in the subwiki, the message will appear on the main wiki's Dashboard, accessible to unregistered users, despite the subwiki's privacy settings. This behavior can also be replicated by sending notifications from one subwiki to another, with similar results for unregistered users.

Remediation

Users are advised to keep the Message Stream feature disabled by default, as it is no longer supported. This can be managed through the XWiki Administration interface under the Social section.