CVE-2022-31095

Name of the Vulnerable Software and Affected Versions discourse-chat versions prior to 0.4

Description The issue affects the discourse-chat plugin for the Discourse application, allowing an attacker who knows the message ID for a channel they do not have access to, to view that message using the chat message lookup endpoint. This primarily affects direct message channels. There are no known workarounds for this issue.

Recommendations For versions prior to 0.4, update the plugin to a version 0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the chat message lookup endpoint until the plugin can be updated.