Improper Access Control in Discourse Community Platform
CVE-2024-56197

2.2LOW

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 4 February 2025

Summary

An issue in the Discourse community platform allows unauthorized users to read private message (PM) titles and metadata when certain group settings are enabled. Specifically, if the 'PM tags allowed for groups' option is activated and a user is a member of a group with PM tagging, they may access sensitive information from PMs that should be restricted. This vulnerability has been addressed in the latest versions of Discourse, and users are strongly encouraged to update their installations. For those who cannot upgrade immediately, it is recommended to disable the 'PM tags allowed for groups' option to mitigate the risk.

Affected Version(s)

discourse stable: <= 3.3.3 <= stable: 3.3.3

discourse beta: <= 3.4.0.beta4 <= beta: 3.4.0.beta4

discourse tests-passed: <= 3.4.0.beta4 <= tests-passed: 3.4.0.beta4

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

2.2

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 4, 2025
Vulnerability Reserved
Dec 18, 2024