CVE-2022-24866

Name of the Vulnerable Software and Affected Versions Discourse Assign versions prior to 1.0.1

Description The UserBookmarkSerializer in Discourse Assign serialized the whole User / Group object, which leaked some private information. This data was only accessible to people who could view assignment info, limited to staff by default, but for sites with assign features enabled publicly, the data was accessible to more people than just staff.

Recommendations For versions prior to 1.0.1, update to version 1.0.1 to resolve the issue. As a temporary workaround, consider restricting access to assignment info to minimize the risk of exploitation.