Headline
CVE-2023-45131: Unauthenticated access to new private chat messages
Discourse is an open source platform for community discussion. New chat messages can be read by making an unauthenticated POST request to MessageBus. This issue is patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.
High
jomaxro published GHSA-84gf-hhrc-9pw6
Oct 16, 2023
Package
Discourse (Discourse)
Affected versions
stable > 3.1.0 && <= 3.1.1; beta > 3.1.0.beta6 && <= 3.2.0.beta2; tests-passed > 3.1.0.beta6 && <= 3.2.0.beta2
Patched versions
stable >= 3.1.2; beta > 3.2.0.beta2; tests-passed > 3.2.0.beta2
Description
Impact
New chat messages can be read by making an unauthenticated POST request to MessageBus.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Workarounds
None.
Severity
CVSS base metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N