Skip to content

Disclosure of the existence of secret categories with custom backgrounds

Moderate
nattsw published GHSA-c7q7-7f6q-2c23 Mar 15, 2024

Package

discourse (Discourse)

Affected versions

stable <= 3.2.0; beta <= 3.3.0.beta1; tests-passed <= 3.3.0.beta1

Patched versions

stable >= 3.2.1; beta >= 3.3.0.beta2; tests-passed >= 3.3.0.beta2

Description

Impact

An attacker can learn that secret categories exist when they have backgrounds set.

Patches

The issue is patched in the latest stable, beta and tests-passed version of Discourse.

Workarounds

Temporarily remove category backgrounds.

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2024-28242

Weaknesses