Names of groups with restricted visibility may be leaked when viewing a category
Package
Discourse
(Discourse)
Affected versions
stable <= 2.8.2; beta <= 2.9.0.beta3; tests-passed <= 2.9.0.beta3
Patched versions
stable >= 2.8.3; beta >= 2.9.0.beta4; tests-passed >= 2.9.0.beta4
Impact
When a group with restricted visibility has been used to set the permissions of a category, the name of the group is leaked to any user that is able to see the category.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse
Workarounds
To workaround the problem, a site administrator can remove groups with restricted visibility from any category's permissions setting.