CVE-2025-49845
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Discourse is an open-source discussion platform. The visibility of posts typed whisper is controlled via the whispers_allowed_groups site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed whisper. However, it has been discovered that users of versions prior to 3.4.6 on the stable branch and prior to 3.5.0.beta8-dev on the tests-passed branch can continue to see their own whispers even after losing visibility of posts typed whisper. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| discourse | discourse | < 3.4.6 | affected |
| discourse | discourse | >= 3.5.0.beta0-dev, < 3.5.0.beta8-dev | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.