BIT-discourse-2024-56197

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2024-56197.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-discourse-2024-56197

Aliases

CVE-2024-56197
GHSA-xmgr-g9cp-v239

Published

2025-02-20T10:31:38.504Z

Modified

2026-03-25T09:30:06.910936Z

Summary

Users can see other user's tagged PMs in Discourse

Details

Discourse is an open source platform for community discussion. PM titles and metadata can be read by other users when the "PM tags allowed for groups" option is enabled, the other user is a member of a group added to this option, and the PM has been tagged. This issue has been patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade should remove all groups from the the "PM tags allowed for groups" option.

Database specific

{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*",
        "cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*",
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / discourse

Package

Name: discourse
Purl: pkg:bitnami/discourse

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2024-56197.json"