CVE-2025-47288

Published: May 29, 2025

Modified: May 30, 2025

PUBLISHED

CVSS v3.1

3.5

LOW

Description

Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the group members could be shown to non-group members. This issue has been patched in version 0.1.1. A workaround involves moving any policy topics with private groups to restricted categories.

Vendor	Product	Versions
discourse	discourse-policy	affected `< 0.1.1`

Weaknesses (CWE)

CWE-200

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/discourse/discourse-policy/security/advisories/GHSA-jc5r-rm2j-mh4x

x_refsource_CONFIRM

https://github.com/discourse/discourse-policy/commit/6b4390fe486408cc86ccea6b091406cfac6c5b8f

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-47288

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References