Secure category names leaked via user activity export
Package
No package listed
Affected versions
stable <= 2.8.2; beta <= 2.9.0.beta3; tests-passed <= 2.9.0.beta3
Patched versions
stable > 2.8.2; beta > 2.9.0.beta3; tests-passed > 2.9.0.beta3
Impact
Users can request an export of their own activity. Sometimes, due to category settings, they may have category membership for a secure category, and we are showing the name of this secure category to the user in the export. The same thing occurs when the user's post has been moved to a secure category.
Patches
This issue is patched in the latest versions of Discourse.