CVE-2023-23935

Name of the Vulnerable Software and Affected Versions Discourse versions 3.0.1 and prior Discourse versions 3.1.0.beta2 and prior

Description The issue affects the count of personal messages displayed for a tag, which includes all personal messages regardless of visibility to a given user. This allows users to poll a sensitive tag and determine if a new personal message is created, even without access to the message. The count of personal messages tagged with a given tag is hidden by default in patched versions. An admin can enable the display personal messages tag counts site setting to revert to the old behavior.

Recommendations For Discourse versions 3.0.1 and prior, update to a version where the count of personal messages tagged with a given tag is hidden by default. For Discourse versions 3.1.0.beta2 and prior, update to a version where the count of personal messages tagged with a given tag is hidden by default. As a temporary workaround, consider disabling the display of personal message tag counts until a patch is available.