Hidden tags may be exposed in the subject of notification emails
Package
No package listed
Affected versions
stable <= 2.8.12; beta <= 2.9.0.beta13; tests-passed <= 2.9.0.beta13
Patched versions
stable >= 2.8.13; beta >= 2.9.0.beta14; tests-passed >= 2.9.0.beta14
Impact
Unauthorized users may learn of the existence of hidden tags and that they have been applied to topics that they have access to.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse
Workarounds
Use the
disable_emailsite setting to disable all emails to non-staff users.