Zogstrip

**Name of the Vulnerable Software and Affected Versions** discourse-chat versions prior to 0.4 **Description** The issue affects the discourse-chat plugin for the Discourse application, allowing an attacker who knows the message ID for a channel they do not have access to, to view that message using the chat message lookup endpoint. This primarily affects direct message channels. There are no known workarounds for this issue. **Recommendations** For versions prior to 0.4, update the plugin to a version 0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the chat message lookup endpoint until the plugin can be updated.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 2.7.7 **Description** Discourse is an open source discussion platform. There are two bugs that led to the post creator of a whisper post being revealed to non-staff users. The first bug occurs when a staff user creates a whisper post in a personal message, revealing the staff user to non-staff participants of the personal message, even though the whisper post cannot be seen by them. The second bug happens when a whisper post is before the last post in a post stream, and deleting the last post results in the creator of the whisper post being revealed to non-staff users as the last poster of the topic. **Recommendations** For versions prior to 2.7.7, update to version 2.7.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of whisper posts in personal messages and avoiding deletion of the last post in a post stream to minimize the risk of exploitation.