Post creator of a whisper post can be revealed to non-staff users.

Moderate

ZogStriP published GHSA-v6xg-q577-vc92

Jul 27, 2021

Package

No package listed

Affected versions

stable <= 2.7.6; beta <= 2.8.0.beta4; tests-passed <= 2.8.0.beta4;

Patched versions

stable >= 2.7.7; beta >= 2.8.0.beta4; tests-passed >= 2.8.0.beta4;

Description

Impact

There are two bugs which led to the post creator of a whisper post being revealed to non-staff users.

Staff users that creates a whisper post in a personal message is revealed to non-staff participants of the personal message even though the whisper post cannot be seen by them.
When a whisper post is before the last post in a post stream, deleting the last post will result in the creator of the whisper post to be revealed to non-staff users as the last poster of the topic.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse

Severity

Moderate

4.3

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N