Skip to content

Unread bookmark reminder notifications that the user cannot access can be seen

Low
jomaxro published GHSA-v9r6-92wp-f6cf Nov 9, 2023

Package

No package listed

Affected versions

stable < 3.1.3; beta/tests-passed < 3.2.0.beta3

Patched versions

stable >= 3.1.3; beta/tests-passed >= 3.2.0.beta3

Description

Impact

There is an edge case where a bookmark reminder is sent and an unread notification is generated, but the underlying bookmarkable (e.g. post, topic, chat message) security has changed, making it so the user can no longer access the underlying resource.

Patches

Bookmark reminders are now no longer sent if the user does not have access to the underlying bookmarkable, and also the unread bookmark notifications are always filtered by access.

Workarounds

No

Severity

Low
3.3
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2023-45816

Weaknesses