CVE-2023-44391

Summary

Discourse is an open source platform for community discussion. User summaries are accessible for anonymous users even when hide_user_profiles_from_public is enabled. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Software

VendorProductVersion RangeStatus
discoursediscoursestable <= 3.1.1affected
discoursediscoursebeta <= 3.2.0.beta2affected

Weaknesses

  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References