CVE-2022-46168

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2.8.14 on the stable branch and version 2.9.0.beta15 on the beta and tests-passed branches

Description Discourse is an open-source discussion platform. Prior to the specified versions, recipients of a group SMTP email could see the email addresses of all other users inside the group SMTP topic. Most of the time, this is not an issue as they are likely already familiar with one another's email addresses. The issue is resolved by masking emails with blind carbon copy (BCC) when sending emails via group SMTP to non-staged users. Staged users are those who have likely only interacted with the group via email and may include others who were CC'd on the original email to the group.

Recommendations For versions prior to 2.8.14 on the stable branch, update to version 2.8.14 or later. For versions prior to 2.9.0.beta15 on the beta and tests-passed branches, update to version 2.9.0.beta15 or later. As a temporary workaround, consider disabling group SMTP for any groups that have it enabled.