CVE-2021-41082

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Discourse versions prior to the latest commit

Description Discourse is a platform for community discussion. In affected versions, any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were not able to view the posts in the leaked private message despite seeing it in their inbox. The problematic commit was reverted around 32 minutes after it was made.

Recommendations Upgrade to the latest commit if running Discourse against the tests-passed branch.

Fix

Incorrect Authorization

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-200

Related Identifiers

BIT-DISCOURSE-2021-41082

CVE-2021-41082

GHSA-VM3X-W6JM-J9VV

Affected Products

Discourse

CVE-2021-41082

Weakness Enumeration

Related Identifiers

Affected Products

References · 7