Description
In version 2.9.0.beta14 of Discourse, an open-source discussion platform, maliciously embedded urls can leak an admin's digest of recent topics, possibly exposing private information. A patch is available for version 2.9.0.beta15. There are no known workarounds for this issue.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-q9jp-xv4g-328f
Patch, Third Party Advisory x_refsource_misc
https://github.com/discourse/discourse/commit/cf862e736565c6fa905c12b5dbe63d0bd056efb8
Scores
CVSS v3
5.5
EPSS
0.0007
EPSS Percentile
20.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
discourse/discourse
2.9.0 beta1 (13 CPE variants)
discourse/discourse
< 2.9.0
Published
Jan 05, 2023
Tracked Since
Feb 18, 2026