CVE-2021-41082
HIGHDiscourse < 2021-09-14 - Exposure of Sensitive Information via Private Message Group Handling
Title source: llmDescription
Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were not able to view the posts in the leaked private message despite seeing it in their inbox. The problematic commit was reverted around 32 minutes after it was made. Users are encouraged to upgrade to the latest commit if they are running Discourse against the `tests-passed` branch.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv
Patch, Third Party Advisory x_refsource_misc
https://github.com/discourse/discourse/commit/27bad28c530c89acab35a56b945b6a3924280f4b
Patch, Third Party Advisory x_refsource_misc
https://github.com/discourse/discourse/commit/ddb458343dc39a7a8c99467dcd809b444514fe2c
Scores
CVSS v3
7.5
EPSS
0.0070
EPSS Percentile
72.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
CWE-863
Status
published
Products (1)
discourse/discourse
< 2021-09-14
Published
Sep 20, 2021
Tracked Since
Feb 18, 2026