CVE-2024-56197

LOW

Discourse - Unauthorized Exposure of PM Titles and Metadata via PM Tags Feature

Title source: llm

Description

Discourse is an open source platform for community discussion. PM titles and metadata can be read by other users when the "PM tags allowed for groups" option is enabled, the other user is a member of a group added to this option, and the PM has been tagged. This issue has been patched in the latest `stable`, `beta` and `tests-passed` versions of Discourse. Users are advised to upgrade. Users unable to upgrade should remove all groups from the the "PM tags allowed for groups" option.

References (1)

Core 1

Core References

Third Party Advisory x_refsource_confirm

https://github.com/discourse/discourse/security/advisories/GHSA-xmgr-g9cp-v239

Scores

CVSS v3 2.2

EPSS 0.0014

EPSS Percentile 34.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (3)

discourse/discourse 3.4.0 beta1 (4 CPE variants)

discourse/discourse < 3.3.4

discourse/discourse < 3.4.0

Published Feb 04, 2025

Tracked Since Feb 18, 2026