Skip to content

Users can see notifications for topics they no longer have access to

Low
jomaxro published GHSA-354r-jpj5-53c2 Nov 28, 2022

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.11; beta <= 2.9.0.beta12; tests-passed <= 2.9.0.beta12

Patched versions

stable >= 2.8.12; beta >= 2.9.0.beta13; tests-passed >= 2.9.0.beta13

Description

Impact

Under certain conditions, a user can see notifications for topics they no longer have access to. If there is sensitive information in the topic title, it will therefore have been exposed.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse

Workarounds

There are no workarounds available.

Severity

Low
3.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2022-41944

Weaknesses

No CWEs