CVE-2023-25169
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit b3ab33bbf7 which is included in the latest version of the Discourse Yearly Review plugin. Users are advised to upgrade. Users unable to upgrade may disable the yearly_review_enabled setting to fully mitigate the issue. Also, it's possible to edit the anonymised user's old data in the yearly review topics manually.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| discourse | discourse-yearly-review | < 0.2 | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7
- https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7
- https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.