CVE-2022-39385

Name of the Vulnerable Software and Affected Versions Discourse (affected versions not specified)

Description The issue affects the Discourse open source discussion platform, where in rare cases, users redeeming an invitation can be added as a participant to several private message topics they should not have access to, without being notified. This happens transparently in the background.

Recommendations To resolve the issue, users are advised to upgrade to a future release that includes the fix. As a temporary workaround, consider setting SiteSetting.max invites per day to 0 until the patch is installed.