User's read state for a topic is leaked when unread state message is published from the server to the clients.
Package
Discourse
Affected versions
stable <= 2.7.7; beta <= 2.8.0.beta4; tests-passed <= 2.8.0.beta4
Patched versions
stable <= 2.7.8; beta <= 2.8.0.beta5; tests-passed <= 2.8.0.beta5
Impact
A user's read state for a topic such as the last read post number and the notification level is exposed.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.