CVE-2021-32788

Published: Jul 27, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

Discourse is an open source discussion platform. In versions prior to 2.7.7 there are two bugs which led to the post creator of a whisper post being revealed to non-staff users. 1: Staff users that creates a whisper post in a personal message is revealed to non-staff participants of the personal message even though the whisper post cannot be seen by them. 2: When a whisper post is before the last post in a post stream, deleting the last post will result in the creator of the whisper post to be revealed to non-staff users as the last poster of the topic.

Vendor	Product	Versions
discourse	discourse	affected `< 2.7.7`

Weaknesses (CWE)

CWE-668

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/discourse/discourse/security/advisories/GHSA-v6xg-q577-vc92

x_refsource_CONFIRM

https://github.com/discourse/discourse/commit/680024f9071b7696e5a444a58791016c6dc1f1e5

x_refsource_MISC

https://github.com/discourse/discourse/commit/dbdf61196d9e964e8823793d2e7f856595fea4d9

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-32788

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References