CVE-2021-43792

Published: Dec 1, 2021

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group (e.g. staff) to view certain tags. Users who were tracking or watching the tags via /preferences/tags, then have their staff status revoked will still see notifications related to the tag, but will not see the tag on each topic. This issue has been patched in stable version 2.7.11. Users are advised to upgrade as soon as possible.

Vendor	Product	Versions
discourse	discourse	affected `stable < 2.7.11` affected `beta < 2.8.0.beta9` affected `tests-passed < 2.8.0.beta9`

Weaknesses (CWE)

CWE-200

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/discourse/discourse/security/advisories/GHSA-pq2x-vq37-8522

x_refsource_CONFIRM

https://github.com/discourse/discourse/commit/cdaf7f4bb3ec268238e4c29a14bb73fad56574b4

x_refsource_MISC

https://meta.discourse.org/t/non-forum-staff-getting-notifications-for-staff-only-tags/184895

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-43792

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References