Sqeezelemon

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 2.8.14 on the stable branch Discourse versions prior to 3.0.0.beta16 on the beta and tests-passed branches **Description** The issue exposes the number of times a user posted in an arbitrary topic to unauthorized users through the "/u/username.json" endpoint. **Recommendations** For versions prior to 2.8.14 on the stable branch, update to version 2.8.14 to resolve the issue. For versions prior to 3.0.0.beta16 on the beta and tests-passed branches, update to version 3.0.0.beta16 to resolve the issue. As a temporary workaround, consider restricting access to the "/u/username.json" endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Discourse versions 2.8.13 and prior Discourse versions 2.9.0.beta14 and prior **Description** Discourse is an open-source discussion platform where any authenticated user can create an unlisted topic, potentially taking up unnecessary site resources. **Recommendations** For versions 2.8.13 and prior, update to a version after 2.8.13. For versions 2.9.0.beta14 and prior, update to a version after 2.9.0.beta14. As a temporary workaround, consider restricting the ability to create unlisted topics for authenticated users until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Discourse-calendar (affected versions not specified) **Description** The Discourse-calendar plugin for the Discourse messaging platform is affected by an issue that allows users to list members of private groups or public groups with private members, and create and edit post events. This issue only affects sites with discourse post events enabled. The issue has been patched in a commit, which will be included in future releases. **Recommendations** To fully mitigate the issue, users unable to upgrade should disable the `discourse post event enabled` setting. As a temporary workaround, it's possible to prevent regular users from using this vulnerability by removing all groups from the `discourse post event allowed on groups`, but note that moderators will still be able to use it.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 2.7.13 Discourse versions prior to 2.8.0.beta11 **Description** A vulnerability has been discovered in Discourse where the group advanced search option does not respect the group's visibility and members visibility level. This allows a group with restricted visibility or members visibility to be revealed through search with the right search option. The issue concerns the configuration of group visibility and members visibility, which can be set to public, restricted to logged on users, members of the group, or staff users. **Recommendations** For versions prior to 2.7.13, upgrade to version 2.7.13 or later. For versions prior to 2.8.0.beta11, upgrade to version 2.8.0.beta11 or later. As a temporary workaround is not available, upgrading to the specified versions is the only resolution to this issue.