CVE-2024-28242

Summary

Discourse is an open source platform for community discussion. In affected versions an attacker can learn that secret categories exist when they have backgrounds set. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should temporarily remove category backgrounds.

Affected Software

VendorProductVersion RangeStatus
discoursediscoursestable <= 3.2.0affected
discoursediscoursebeta <= 3.3.0.beta1affected
discoursediscoursetests-passed <= 3.3.0.beta1affected

Weaknesses

  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References