CVE-2022-31095

discourse-chat is a chat plugin for the Discourse application. Versions prior to 0.4 are vulnerable to an exposure of sensitive information, where an attacker who knows the message ID for a channel they do not have access to can view that message using the chat message lookup endpoint, primarily affecting direct message channels. There are no known workarounds for this issue, and users are advised to update the plugin.
Configurations

Configuration 1 (hide)

cpe:2.3:a:discourse:discourse-chat:*:*:*:*:*:discourse:*:*

History

21 Nov 2024, 07:03

Type Values Removed Values Added
References () https://github.com/discourse/discourse-chat/security/advisories/GHSA-r979-jhp2-3f6h - Third Party Advisory () https://github.com/discourse/discourse-chat/security/advisories/GHSA-r979-jhp2-3f6h - Third Party Advisory
CVSS v2 : 4.0
v3 : 6.5
v2 : 4.0
v3 : 4.3

24 Jul 2023, 13:17

Type Values Removed Values Added
CWE CWE-200 CWE-862

Information

Published : 2022-06-21 19:15

Updated : 2024-11-21 07:03


NVD link : CVE-2022-31095

Mitre link : CVE-2022-31095

CVE.ORG link : CVE-2022-31095


JSON object : View

Products Affected

discourse

  • discourse-chat
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-862

Missing Authorization