CVE-2022-24804

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2.8.3 Discourse beta versions prior to 2.9.0.beta4

Description The issue concerns the erroneous exposure of groups in Discourse, an open source platform for community discussion. When a group with restricted visibility is used to set the permissions of a category, the name of the group is leaked to any user who can see the category.

Recommendations For versions prior to 2.8.3, a site administrator can remove groups with restricted visibility from any category's permissions setting as a workaround. For beta versions prior to 2.9.0.beta4, a site administrator can remove groups with restricted visibility from any category's permissions setting as a workaround.

Exploit

Fix

Incorrect Default Permissions

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276CWE-200

Related Identifiers

BIT-DISCOURSE-2022-24804

CVE-2022-24804

GHSA-V4C9-6M9G-37FF

Affected Products

Discourse

CVE-2022-24804

Weakness Enumeration

Related Identifiers

Affected Products

References · 7