CVE-2022-46150

Discourse is an open-source discussion platform. Prior to version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches, unauthorized users may learn of the existence of hidden tags and that they have been applied to topics that they have access to. This issue is patched in version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches. As a workaround, use the `disable_email` site setting to disable all emails to non-staff users.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/commit/84c83e8d4a1907f8a2972f0ab44b6402aa910c3b	Patch Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-rqvq-94h8-p5wv	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta1::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta10::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta11::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta12::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta13::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta2::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta3::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta4::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta5::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta6::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta7::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta8::::::

History

01 Dec 2022, 21:57

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/discourse/discourse/commit/84c83e8d4a1907f8a2972f0ab44b6402aa910c3b -~~	(MISC) https://github.com/discourse/discourse/commit/84c83e8d4a1907f8a2972f0ab44b6402aa910c3b - Patch, Third Party Advisory
References	~~(CONFIRM) https://github.com/discourse/discourse/security/advisories/GHSA-rqvq-94h8-p5wv -~~	(CONFIRM) https://github.com/discourse/discourse/security/advisories/GHSA-rqvq-94h8-p5wv - Third Party Advisory
First Time		Discourse Discourse discourse
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
CPE		cpe:2.3:a:discourse:discourse:2.9.0:beta6:::::: cpe:2.3:a:discourse:discourse:2.9.0:beta4:::::: cpe:2.3:a:discourse:discourse:2.9.0:beta11:::::: cpe:2.3:a:discourse:discourse:2.9.0:beta12:::::: cpe:2.3:a:discourse:discourse:2.9.0:beta5:::::: cpe:2.3:a:discourse:discourse:2.9.0:beta2:::::: cpe:2.3:a:discourse:discourse:2.9.0:beta10:::::: cpe:2.3:a:discourse:discourse:2.9.0:beta1:::::: cpe:2.3:a:discourse:discourse:::::::: cpe:2.3:a:discourse:discourse:2.9.0:beta8:::::: cpe:2.3:a:discourse:discourse:2.9.0:beta7:::::: cpe:2.3:a:discourse:discourse:2.9.0:beta3:::::: cpe:2.3:a:discourse:discourse:2.9.0:beta13::::::

29 Nov 2022, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-11-29 18:15

Updated : 2023-12-10 14:48

NVD link : CVE-2022-46150

Mitre link : CVE-2022-46150

CVE.ORG link : CVE-2022-46150

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

4.3 /10