CVE-2021-32788

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2.7.7

Description Discourse is an open source discussion platform. There are two bugs that led to the post creator of a whisper post being revealed to non-staff users. The first bug occurs when a staff user creates a whisper post in a personal message, revealing the staff user to non-staff participants of the personal message, even though the whisper post cannot be seen by them. The second bug happens when a whisper post is before the last post in a post stream, and deleting the last post results in the creator of the whisper post being revealed to non-staff users as the last poster of the topic.

Recommendations For versions prior to 2.7.7, update to version 2.7.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of whisper posts in personal messages and avoiding deletion of the last post in a post stream to minimize the risk of exploitation.