Home > Vulnerability Database > CVE-2023-23935

Mend.io Vulnerability Database

CVE-2023-23935

Date: March 16, 2023

Discourse is an open-source messaging platform. In versions 3.0.1 and prior on the "stable" branch and versions 3.1.0.beta2 and prior on the "beta" and "tests-passed" branches, the count of personal messages displayed for a tag is a count of all personal messages regardless of whether the personal message is visible to a given user. As a result, any users can technically poll a sensitive tag to determine if a new personal message is created even if the user does not have access to the personal message. In the patched versions, the count of personal messages tagged with a given tag is hidden by default. To revert to the old behaviour of displaying the count of personal messages for a given tag, an admin may enable the "display_personal_messages_tag_counts" site setting.

Language: Ruby

Severity Score

3.5

Related Resources (4)

Url: https://github.com/discourse/discourse/security/advisories/GHSA-rf8j-mf8c-82v7

Url: https://github.com/discourse/discourse/commit/f31f0b70f82c43d93220ce6fc0d4f57440452f37

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-23935

Url: https://www.mend.io/vulnerability-database/CVE-2023-23935

Severity Score

3.5

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insufficient Information

NVD-CWE-noinfo

CVSS v3.1

Base Score:	3.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-23935

Date: March 16, 2023

Language: Ruby

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?