CVE-2022-24850

Name of the Vulnerable Software and Affected Versions Discourse versions prior to the latest stable, beta and tests-passed versions

Description Discourse is an open source platform for community discussion. A category's group permissions settings can be viewed by anyone that has access to the category. As a result, a normal user is able to see whether a group has read/write permissions in the category even though the information should only be available to the users that can manage a category.

Recommendations Update to the latest stable, beta or tests-passed version of Discourse to resolve the issue. As a temporary workaround, consider restricting access to category settings for non-managing users until a patch is applied. Restrict access to the group permissions settings to minimize the risk of exploitation.