Unauthenticated access to new private chat messages
Package
Discourse
(Discourse)
Affected versions
stable > 3.1.0 && < 3.1.2; beta/tests-passed > 3.1.0.beta6 && < 3.2.0.beta3
Patched versions
stable >= 3.1.2; beta/tests-passed >= 3.2.0.beta3
Impact
New chat messages can be read by making an unauthenticated POST request to MessageBus.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Workarounds
None.