CVE-2022-24866

Опубликовано: 26 апр. 2022

Источник: nvd

CVSS3: 4.3

CVSS2: 4

EPSS Низкий

Описание

Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.

Ссылки

https://github.com/discourse/discourse-assign/pull/320
Issue Tracking
Patch
Third Party Advisory
https://github.com/discourse/discourse-assign/security/advisories/GHSA-9xhf-wvjx-f5w9
Third Party Advisory
https://github.com/discourse/discourse-assign/pull/320
Issue Tracking
Patch
Third Party Advisory
https://github.com/discourse/discourse-assign/security/advisories/GHSA-9xhf-wvjx-f5w9
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:discourse:assign:*:*:*:*:*:discourse:*:*

Версия до 1.0.1 (исключая)

EPSS

Процентиль: 38%

0.00167

Низкий

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-200