Design/Logic Flaw

2023-03-1621:15:00

PRIOn knowledge base

www.prio-n.com

discourse

messaging platform

version control

personal messages

security flaw

visibility

4.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.0%

JSON

Discourse is an open-source messaging platform. In versions 3.0.1 and prior on the stable branch and versions 3.1.0.beta2 and prior on the beta and tests-passed branches, the count of personal messages displayed for a tag is a count of all personal messages regardless of whether the personal message is visible to a given user. As a result, any users can technically poll a sensitive tag to determine if a new personal message is created even if the user does not have access to the personal message. In the patched versions, the count of personal messages tagged with a given tag is hidden by default. To revert to the old behaviour of displaying the count of personal messages for a given tag, an admin may enable the display_personal_messages_tag_counts site setting.

CPENameOperatorVersion
discourseeq1.1.0 beta1
discourseeq1.1.0 beta2
discourseeq1.1.0 beta3
discourseeq1.1.0 beta4
discourseeq1.1.0 beta5
discourseeq1.1.0 beta6
discourseeq1.1.0 beta6b
discourseeq1.1.0 beta7
discourseeq1.1.0 beta8
discourseeq1.2.0 beta1

Name	Operator	Version
discourse	eq	1.1.0 beta1
discourse	eq	1.1.0 beta2
discourse	eq	1.1.0 beta3
discourse	eq	1.1.0 beta4
discourse	eq	1.1.0 beta5
discourse	eq	1.1.0 beta6
discourse	eq	1.1.0 beta6b
discourse	eq	1.1.0 beta7
discourse	eq	1.1.0 beta8
discourse	eq	1.2.0 beta1