Skip to content

Disclosure of the existence of secret subcategories

Moderate
nattsw published GHSA-3qh8-xw23-cq4x Mar 15, 2024

Package

discourse

Affected versions

stable <= 3.2.0; beta <= 3.3.0.beta1; tests-passed <= 3.3.0.beta1

Patched versions

stable >= 3.2.1; beta >= 3.3.0.beta2; tests-passed >= 3.3.0.beta2

Description

Impact

An attacker can learn that a secret subcategory exists under a public category which has no public subcategories.

Patches

The issue is patched in the latest stable, beta and tests-passed version of Discourse.

Workarounds

None.

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2024-24748

Weaknesses