Skip to content

Secure category names leaked via user activity export

Low
jomaxro published GHSA-c3cq-w899-f343 Mar 24, 2022

Package

No package listed

Affected versions

stable <= 2.8.2; beta <= 2.9.0.beta3; tests-passed <= 2.9.0.beta3

Patched versions

stable > 2.8.2; beta > 2.9.0.beta3; tests-passed > 2.9.0.beta3

Description

Impact

Users can request an export of their own activity. Sometimes, due to category settings, they may have category membership for a secure category, and we are showing the name of this secure category to the user in the export. The same thing occurs when the user's post has been moved to a secure category.

Patches

This issue is patched in the latest versions of Discourse.

Severity

Low

CVE ID

CVE-2022-24782

Weaknesses