Skip to content

Hidden tags may be exposed in the subject of notification emails

Moderate
jomaxro published GHSA-rqvq-94h8-p5wv Nov 29, 2022

Package

No package listed

Affected versions

stable <= 2.8.12; beta <= 2.9.0.beta13; tests-passed <= 2.9.0.beta13

Patched versions

stable >= 2.8.13; beta >= 2.9.0.beta14; tests-passed >= 2.9.0.beta14

Description

Impact

Unauthorized users may learn of the existence of hidden tags and that they have been applied to topics that they have access to.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse

Workarounds

Use the disable_email site setting to disable all emails to non-staff users.

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2022-46150

Weaknesses