Skip to content

Users without tag group permissions can view and receive notifications for previously watched tags

Low
jomaxro published GHSA-pq2x-vq37-8522 Dec 1, 2021

Package

No package listed

Affected versions

stable <= 2.7.10; beta,tests-passed <= 2.8.0.beta8;

Patched versions

stable >= 2.7.11; beta,tests-passed >= 2.8.0.beta9;

Description

Impact

This vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group (e.g. staff) to view certain tags. Users who were tracking or watching the tags via /preferences/tags, then have their staff status revoked will still see notifications related to the tag, but will not see the tag on each topic.

Patches

The problem has been patched. Please upgrade to v2.8.0.beta9 or 2.7.11

Workarounds

None.

References

https://meta.discourse.org/t/non-forum-staff-getting-notifications-for-staff-only-tags/184895

Severity

Low

CVE ID

CVE-2021-43792

Weaknesses

No CWEs