PT-2024-26909 · Discourse · Discourse
Nattsw
·
Published
2024-07-03
·
Updated
2024-09-18
·
CVE-2024-36122
CVSS v3.1
2.4
Low
| Vector | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 3.2.3 on the stable branch
Discourse versions prior to 3.3.0.beta4 on the beta and tests-passed branches
Description
The issue affects moderators using the review queue, allowing them to see a user's email address even when the setting to allow moderators to view email addresses is disabled.
Recommendations
For versions prior to 3.2.3 on the stable branch, update to version 3.2.3 or later.
For versions prior to 3.3.0.beta4 on the beta and tests-passed branches, update to version 3.3.0.beta4 or later.
As a temporary workaround, consider preventing moderators from accessing the review queue.
Alternatively, disable the
approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue.Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse