Design/Logic Flaw

2023-01-0518:15:00

PRIOn knowledge base

www.prio-n.com

discourse

logic flaw

version 2.8.14

version 2.9.0.beta15

group smtp

email addresses

patched

blind carbon copy

staged users

workaround

4 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.9%

JSON

Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 2.9.0.beta15 on the beta and tests-passed branches, recipients of a group SMTP email could see the email addresses of all other users inside the group SMTP topic. Most of the time this is not an issue as they are likely already familiar with one another’s email addresses. This issue is patched in versions 2.8.14 and 2.9.0.beta15. The fix is that someone sending emails out via group SMTP to non-staged users masks those emails with blind carbon copy (BCC). Staged users are ones that have likely only interacted with the group via email, and will likely include other people who were CC’d on the original email to the group. As a workaround, disable group SMTP for any groups that have it enabled.

CPENameOperatorVersion
discourseeq2.9.0 beta1
discourseeq2.9.0 beta2
discourseeq2.9.0 beta3
discourseeq2.9.0 beta4
discourseeq2.9.0 beta5
discourseeq2.9.0 beta7
discourseeq2.9.0 beta8
discourseeq2.9.0 beta6
discourseeq2.9.0 beta10
discourseeq2.9.0 beta11

Name	Operator	Version
discourse	eq	2.9.0 beta1
discourse	eq	2.9.0 beta2
discourse	eq	2.9.0 beta3
discourse	eq	2.9.0 beta4
discourse	eq	2.9.0 beta5
discourse	eq	2.9.0 beta7
discourse	eq	2.9.0 beta8
discourse	eq	2.9.0 beta6
discourse	eq	2.9.0 beta10
discourse	eq	2.9.0 beta11