Headline
CVE-2022-23546: SECURITY: Convert send_digest to a post request (#19746) · discourse/discourse@cf862e7
In version 2.9.0.beta14 of Discourse, an open-source discussion platform, maliciously embedded urls can leak an admin’s digest of recent topics, possibly exposing private information. A patch is available for version 2.9.0.beta15. There are no known workarounds for this issue.
@@ -337,6 +337,19 @@
end
end
describe ‘#send_digest’ do
context “when logged in as an admin” do
before { sign_in(admin) }
it “sends the digest” do
post "/admin/email/send-digest.json", params: {
last_seen_at: 1.week.ago, username: admin.username, email: email(‘previous_replies’)
}
expect(response.status).to eq(200)
end
end
end
describe ‘#handle_mail’ do
context “when logged in as an admin” do
before { sign_in(admin) }