Reactions leak for secure category topics and private messages
CVE-2021-41140

5.3MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse-reactions
Vendor: CVE Published:; 19 October 2021

Summary

Discourse-reactions is a plugin for the Discourse platform that allows user to add their reactions to the post. In affected versions reactions given by user to secure topics and private messages are visible. This issue is patched in version 0.2 of discourse-reaction. Users who are unable to update are advised to disable the Discourse-reactions plugin in admin panel.

Affected Version(s)

discourse-reactions < 0.2

References

https://github.com/discourse/discourse-reactions/security...

x_refsource_CONFIRM

https://github.com/discourse/discourse-reactions/commit/2...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 19, 2021
Vulnerability Reserved
Sep 15, 2021