Headline
CVE-2023-22453: Exposure of user post counts per topic to unauthorized users
Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 3.0.0.beta16 on the beta and tests-passed branches, the number of times a user posted in an arbitrary topic is exposed to unauthorized users through the /u/username.json endpoint. The issue is patched in version 2.8.14 and 3.0.0.beta16. There is no known workaround.
Moderate
jomaxro published GHSA-xx97-6494-p2rv
Jan 5, 2023
Package
No package listed
Affected versions
stable <= 2.8.13; beta <= 3.0.0.beta15; tests-passed <= 3.0.0.beta15
Patched versions
stable >= 2.8.14; beta >= 3.0.0.beta16; tests-passed >= 3.0.0.beta16
Description
Impact
The number of times a user posted in an arbitrary topic is exposed to unauthorized users through the /u/username.json endpoint.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Workarounds
There is no known workaround.
Severity
CVSS base metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses