Disclosure of the existence of secret subcategories
Package
discourse
Affected versions
stable <= 3.2.0; beta <= 3.3.0.beta1; tests-passed <= 3.3.0.beta1
Patched versions
stable >= 3.2.1; beta >= 3.3.0.beta2; tests-passed >= 3.3.0.beta2
Impact
An attacker can learn that a secret subcategory exists under a public category which has no public subcategories.
Patches
The issue is patched in the latest stable, beta and tests-passed version of Discourse.
Workarounds
None.