Exposure of user post counts per topic to unauthorized users
Package
No package listed
Affected versions
stable <= 2.8.13; beta <= 3.0.0.beta15; tests-passed <= 3.0.0.beta15
Patched versions
stable >= 2.8.14; beta >= 3.0.0.beta16; tests-passed >= 3.0.0.beta16
Impact
The number of times a user posted in an arbitrary topic is exposed to unauthorized users through the
/u/username.json
endpoint.Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Workarounds
There is no known workaround.