Discourse · Discourse · CVE-2021-43792
Name of the Vulnerable Software and Affected Versions:
Discourse versions prior to 2.7.11
Description:
A vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature in Discourse, an open source discussion platform. This feature allows a tag group to restrict visibility of certain tags to specific groups, such as staff. However, if a user's group status is revoked, they may still receive notifications related to the tag, even though they can no longer view the tag on each topic.
Recommendations:
For versions prior to 2.7.11, upgrade to version 2.7.11 or later as soon as possible to resolve the issue. As a temporary workaround, consider restricting access to the `/preferences/tags` endpoint for users who have had their staff status revoked, until the upgrade can be applied.