CVE-2023-23935

LOW

Discourse <3.0.1-3.1.0.beta2 - Info Disclosure

Title source: llm

Description

Discourse is an open-source messaging platform. In versions 3.0.1 and prior on the `stable` branch and versions 3.1.0.beta2 and prior on the `beta` and `tests-passed` branches, the count of personal messages displayed for a tag is a count of all personal messages regardless of whether the personal message is visible to a given user. As a result, any users can technically poll a sensitive tag to determine if a new personal message is created even if the user does not have access to the personal message. In the patched versions, the count of personal messages tagged with a given tag is hidden by default. To revert to the old behaviour of displaying the count of personal messages for a given tag, an admin may enable the `display_personal_messages_tag_counts` site setting.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/discourse/discourse/security/advisories/GHSA-rf8j-mf8c-82v7

Patch x_refsource_misc

https://github.com/discourse/discourse/commit/f31f0b70f82c43d93220ce6fc0d4f57440452f37

View Patch ZIP pw:eip

Scores

CVSS v3 3.5

EPSS 0.0030

EPSS Percentile 53.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (5)

discourse/discourse 1.1.0 beta1 (9 CPE variants)

discourse/discourse 1.2.0 beta1 (9 CPE variants)

discourse/discourse 1.3.0 beta1 (11 CPE variants)

discourse/discourse 1.4.0 beta1 (12 CPE variants)

discourse/discourse 1.5.0 beta1 (9 CPE variants)

Published Mar 16, 2023

Tracked Since Feb 18, 2026