Exclude_tags param could leak which topics had a specific hidden tag
Package
No package listed
Affected versions
stable <= 3.0.0; beta <= 3.1.0.beta1; tests-passed <= 3.0.1.beta1
Patched versions
stable >= 3.0.1; beta >= 3.1.0.beta2; tests-passed >= 3.1.0.beta2
Impact
Using the exclude_tag param you could filter out topics and deduce which ones were using a specific hidden tag. This affects any Discourse site using hidden tags in public categories.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse
Workarounds
Secure any categories that are using hidden tags, change any existing hidden tags to not include private data, or remove any hidden tags currently in use.