PT-2023-29000 · Discourse · Discourse
Jomaxro
·
Published
2023-10-16
·
Updated
2024-03-06
·
CVE-2023-43814
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 3.1.1 stable
Discourse versions prior to 3.2.0.beta2
Description
Discourse is an open source platform for community discussion. Attackers with details specific to a poll in a topic can use the "/polls/grouped poll results" endpoint to view the content of options in the poll and the number of votes for groups of poll participants. This impacts private polls where the results were intended to only be viewable by authorized users.
Recommendations
For versions prior to 3.1.1 stable, upgrade to version 3.1.1 stable or later.
For versions prior to 3.2.0.beta2, upgrade to version 3.2.0.beta2 or later.
As a temporary workaround, consider restricting access to the "/polls/grouped poll results" endpoint until a patch is available.
Exploit
Fix
Information Disclosure
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Discourse