CVE-2021-43792

Name of the Vulnerable Software and Affected Versions: Discourse versions prior to 2.7.11

Description: A vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature in Discourse, an open source discussion platform. This feature allows a tag group to restrict visibility of certain tags to specific groups, such as staff. However, if a user's group status is revoked, they may still receive notifications related to the tag, even though they can no longer view the tag on each topic.

Recommendations: For versions prior to 2.7.11, upgrade to version 2.7.11 or later as soon as possible to resolve the issue. As a temporary workaround, consider restricting access to the /preferences/tags endpoint for users who have had their staff status revoked, until the upgrade can be applied.