CVE-2022-24866
MEDIUMDiscourse Assign < 1.0.1 - Exposure of Sensitive Information via UserBookmarkSerializer
Title source: llmDescription
Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/discourse/discourse-assign/security/advisories/GHSA-9xhf-wvjx-f5w9
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/discourse/discourse-assign/pull/320
Scores
CVSS v3
4.3
EPSS
0.0017
EPSS Percentile
37.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (1)
discourse/assign
< 1.0.1
Published
Apr 26, 2022
Tracked Since
Feb 18, 2026