CVE-2022-41944

Discourse is an open-source discussion platform. In stable versions prior to 2.8.12 and beta or tests-passed versions prior to 2.9.0.beta.13, under certain conditions, a user can see notifications for topics they no longer have access to. If there is sensitive information in the topic title, it will therefore have been exposed. This issue is patched in stable version 2.8.12, beta version 2.9.0.beta13, and tests-passed version 2.9.0.beta13. There are no workarounds available.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta1:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta10:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta11:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta12:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta2:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta3:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta4:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta5:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta6:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta7:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta8:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta9:*:*:*:*:*:*

History

21 Nov 2024, 07:24

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.3
v2 : unknown
v3 : 3.5
References () https://github.com/discourse/discourse/commit/c6ee28ec756436cc9ce154dd2c8e4c441f92f693 - Patch, Third Party Advisory () https://github.com/discourse/discourse/commit/c6ee28ec756436cc9ce154dd2c8e4c441f92f693 - Patch, Third Party Advisory
References () https://github.com/discourse/discourse/security/advisories/GHSA-354r-jpj5-53c2 - Third Party Advisory () https://github.com/discourse/discourse/security/advisories/GHSA-354r-jpj5-53c2 - Third Party Advisory

06 Jul 2023, 13:37

Type Values Removed Values Added
CWE CWE-200 CWE-863

Information

Published : 2022-11-28 15:15

Updated : 2024-11-21 07:24


NVD link : CVE-2022-41944

Mitre link : CVE-2022-41944

CVE.ORG link : CVE-2022-41944


JSON object : View

Products Affected

discourse

  • discourse
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-863

Incorrect Authorization