Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.
References
Link | Resource |
---|---|
https://github.com/discourse/discourse-assign/pull/320 | Issue Tracking Patch Third Party Advisory |
https://github.com/discourse/discourse-assign/security/advisories/GHSA-9xhf-wvjx-f5w9 | Third Party Advisory |
Configurations
History
06 May 2022, 14:08
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 4.0
v3 : 4.3 |
CPE | cpe:2.3:a:discourse:assign:*:*:*:*:*:discourse:*:* | |
References | (MISC) https://github.com/discourse/discourse-assign/pull/320 - Issue Tracking, Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/discourse/discourse-assign/security/advisories/GHSA-9xhf-wvjx-f5w9 - Third Party Advisory | |
CWE | CWE-200 | |
First Time |
Discourse assign
Discourse |
26 Apr 2022, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-04-26 19:15
Updated : 2023-12-10 14:22
NVD link : CVE-2022-24866
Mitre link : CVE-2022-24866
CVE.ORG link : CVE-2022-24866
JSON object : View
Products Affected
discourse
- assign
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor