CVE-2023-34250
MEDIUMDiscourse < 3.0.4 - Unauthorized Sensitive Information Exposure via New Topics Dismissal Endpoint
Title source: llmDescription
Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, an attacker could use the new topics dismissal endpoint to reveal the number of topics recently created (but not the actual content thereof) in categories they didn't have access to. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. There are no known workarounds.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-q8m5-wmjr-3ppg
Scores
CVSS v3
4.8
EPSS
0.0040
EPSS Percentile
31.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-668
Status
published
Products (2)
discourse/discourse
3.1.0 beta1 (4 CPE variants)
discourse/discourse
< 3.0.4
Published
Jun 13, 2023
Tracked Since
Feb 18, 2026