CVE-2022-39385 MEDIUM

CVE-2022-39385: Users erroneously and transparently added to private messages in Discourse

Vendor Discourse

Product discourse

Weakness CWE-200 · Info exposure

Published November 14, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This issue has been resolved in commit `a414520742` and will be included in future releases. Users are advised to upgrade. Users are also advised to set `SiteSetting.max_invites_per_day` to 0 until the patch is installed.

Key dates

02Disclosure timeline

November 14, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-39385

Related vulnerabilities

Identifiers

CVE CVE-2022-39385

CWE CWE-200

CVSS 6.5 / MEDIUM

Affected versions

Vendor Discourse

Product discourse

Affected Stable: <= 2.8.10

Vendor Discourse

Product discourse

Affected Beta: <= 2.9.0.beta11

CVE-2022-39385: Users erroneously and transparently added to private messages in Discourse

01Description

02Disclosure timeline

03References

04Related CVE