Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the Tags are visible only to the following groups feature. A tag group may only allow a certain group (e.g. staff) to view certain tags. Users who were tracking or watching the tags via /preferences/tags, then have their staff status revoked will still see notifications related to the tag, but will not see the tag on each topic. This issue has been patched in stable version 2.7.11. Users are advised to upgrade as soon as possible.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Discourse | Discourse | * | 2.7.11 (excluding) |
| Discourse | Discourse | 2.8.0-beta1 (including) | 2.8.0-beta1 (including) |
| Discourse | Discourse | 2.8.0-beta2 (including) | 2.8.0-beta2 (including) |
| Discourse | Discourse | 2.8.0-beta3 (including) | 2.8.0-beta3 (including) |
| Discourse | Discourse | 2.8.0-beta4 (including) | 2.8.0-beta4 (including) |
| Discourse | Discourse | 2.8.0-beta5 (including) | 2.8.0-beta5 (including) |
| Discourse | Discourse | 2.8.0-beta6 (including) | 2.8.0-beta6 (including) |
| Discourse | Discourse | 2.8.0-beta7 (including) | 2.8.0-beta7 (including) |
There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. Some kinds of sensitive information include:
Information might be sensitive to different parties, each of which may have their own expectations for whether the information should be protected. These parties include:
Information exposures can occur in different ways:
It is common practice to describe any loss of confidentiality as an “information exposure,” but this can lead to overuse of CWE-200 in CWE mapping. From the CWE perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information.