CVE-2024-36122

Published: Jul 3, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

2.4

LOW

Description

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses setting is disabled. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. As possible workarounds, either prevent moderators from accessing the review queue or disable the approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue.

Vendor	Product	Versions
discourse	discourse	affected `stable < 3.2.3` affected `beta < 3.3.0.beta4` affected `tests-passed < 3.3.0.beta4`

Weaknesses (CWE)

CWE-200

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/discourse/discourse/security/advisories/GHSA-rr93-hcw4-cv3f

x_refsource_CONFIRM

https://github.com/discourse/discourse/commit/8d5b21170efa4766e1a213ff07dc36d36cf3dfb4

x_refsource_MISC

https://github.com/discourse/discourse/commit/e2a7265dba3d9e943338db21ca38c50276b22f47

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-36122

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References