Headline
CVE-2023-44391: Prevent unauthorized access to summary details
Discourse is an open source platform for community discussion. User summaries are accessible for anonymous users even when hide_user_profiles_from_public is enabled. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Package
discourse (Discourse)
Affected versions
stable <= 3.1.1; beta <= 3.2.0.beta2; tests-passed <= 3.2.0.beta2
Patched versions
stable > 3.1.1; beta > 3.2.0.beta2; tests-passed > 3.2.0.beta2
Description
Impact
User summaries are accessible for anonymous users even when hide_user_profiles_from_public is enabled.
Patches
The problem has been patched in the latest version of Discourse.
Workarounds
None.