Skip to content

Yearly Review Plugin leaking anonymised users data

Low
jomaxro published GHSA-x2r8-v85c-x3x7 Mar 6, 2023

Package

discourse-yearly-review (Discourse)

Affected versions

0.1

Patched versions

0.2

Description

Impact

A user present in a yearly review topic that is then anonymised will still have some data linked to its original account.

Patches

The latest version of the Discourse Yearly Review plugin has the patch.

Workarounds

Disable the yearly_review_enabled setting to fully mitigate the issue. Also, it's possible to edit the anonymised user's old data in the yearly review topics manually.

Severity

Low
3.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2023-25169

Weaknesses

No CWEs