Disclosure of the existence of secret categories with custom backgrounds
Package
discourse
(Discourse)
Affected versions
stable <= 3.2.0; beta <= 3.3.0.beta1; tests-passed <= 3.3.0.beta1
Patched versions
stable >= 3.2.1; beta >= 3.3.0.beta2; tests-passed >= 3.3.0.beta2
Impact
An attacker can learn that secret categories exist when they have backgrounds set.
Patches
The issue is patched in the latest stable, beta and tests-passed version of Discourse.
Workarounds
Temporarily remove category backgrounds.