PT-2023-19954 · Discourse · Discourse Yearly Review Plugin
Jomaxro
·
Published
2023-03-06
·
Updated
2023-03-13
·
CVE-2023-25169
CVSS v3.1
3.1
Low
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse Yearly Review plugin (affected versions not specified)
Description
The Discourse Yearly Review plugin has an issue where a user present in a yearly review topic that is then anonymized will still have some data linked to its original account. This issue has been patched in the latest version of the plugin.
Recommendations
To resolve the issue, users are advised to upgrade to the latest version of the Discourse Yearly Review plugin.
Users unable to upgrade may disable the
yearly review enabled setting to fully mitigate the issue.
It's also possible to edit the anonymized user's old data in the yearly review topics manually.Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse Yearly Review Plugin