Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-23622

Date: March 17, 2023

Discourse is an open-source discussion platform. Prior to version 3.0.1 of the "stable" branch and version 3.1.0.beta2 of the "beta" and "tests-passed" branches, the count of topics displayed for a tag is a count of all regular topics regardless of whether the topic is in a read restricted category or not. As a result, any users can technically poll a sensitive tag to determine if a new topic is created in a category which the user does not have excess to. In version 3.0.1 of the "stable" branch and version 3.1.0.beta2 of the "beta" and "tests-passed" branches, the count of topics displayed for a tag defaults to only counting regular topics which are not in read restricted categories. Staff users will continue to see a count of all topics regardless of the topic's category read restrictions.

Language: Ruby

Severity Score

Related Resources (7)

https://github.com/discourse/discourse/pull/20005
https://github.com/discourse/discourse/pull/20004
https://nvd.nist.gov/vuln/detail/CVE-2023-23622
https://github.com/discourse/discourse/commit/ecb9aa5dba94741d9579f4f873f0675f48b4184f
https://github.com/discourse/discourse/commit/105fee978d73b0ec23ff814a09d1c0c9ace95164
https://github.com/discourse/discourse/security/advisories/GHSA-2wvr-4x7w-v795
https://www.mend.io/vulnerability-database/CVE-2023-23622

Severity Score

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insufficient Information

NVD-CWE-noinfo

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us