CVE-2023-23622

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.0.1 of the stable branch Discourse versions prior to 3.1.0.beta2 of the beta and tests-passed branches

Description Discourse is an open-source discussion platform. Prior to version 3.0.1 of the stable branch and version 3.1.0.beta2 of the beta and tests-passed branches, the count of topics displayed for a tag is a count of all regular topics regardless of whether the topic is in a read restricted category or not. As a result, any users can technically poll a sensitive tag to determine if a new topic is created in a category which the user does not have access to. In version 3.0.1 of the stable branch and version 3.1.0.beta2 of the beta and tests-passed branches, the count of topics displayed for a tag defaults to only counting regular topics which are not in read restricted categories. Staff users will continue to see a count of all topics regardless of the topic's category read restrictions.

Recommendations For Discourse versions prior to 3.0.1 of the stable branch, update to version 3.0.1 or later. For Discourse versions prior to 3.1.0.beta2 of the beta and tests-passed branches, update to version 3.1.0.beta2 or later.