Reaction data for user notifications exposed in Discourse-reactions
CVE-2023-49098

3.5LOW

Key Information:

Vendor: discourse
Status: discourse-reactions
Vendor: CVE Published:; 12 January 2024

What is CVE-2023-49098?

Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939.

Affected Version(s)

discourse-reactions < commit 2c26939

References

https://github.com/discourse/discourse-reactions/security...

x_refsource_CONFIRM

https://github.com/discourse/discourse-reactions/commit/2...

x_refsource_MISC

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 12, 2024
Vulnerability Reserved
Nov 21, 2023