Skip to content

Displaying user badges can leak topic titles to users that have no access to the topic

Moderate
jomaxro published GHSA-2gvq-27h6-4h5f Nov 1, 2022

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.9; beta <= 2.9.0.beta10; tests-passed <= 2.9.0.beta10

Patched versions

stable > 2.8.9; beta > 2.9.0.beta10; tests-passed > 2.9.0.beta10

Description

Impact

Under certain conditions, a user badge may have been awarded based on a user's activity in a topic with restricted access. Before this vulnerability was disclosed, the topic title of the topic associated with the user badge may be viewed by any user. If there are sensitive information in the topic title, it will therefore have been exposed.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse

Workarounds

There are no workarounds available.

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2022-39378

Weaknesses

No CWEs