CVE-2023-25169 LOW

CVE-2023-25169: Yearly Review Plugin leaking anonymised users data in discourse-yearly-review

Vendor Discourse

Product discourse-yearly-review

Weakness CWE-200 · Info exposure

Published March 6, 2023

Last update February 25, 2025

View on NVD All CVEs

CVSS base score

3.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit `b3ab33bbf7` which is included in the latest version of the Discourse Yearly Review plugin. Users are advised to upgrade. Users unable to upgrade may disable the `yearly_review_enabled` setting to fully mitigate the issue. Also, it's possible to edit the anonymised user's old data in the yearly review topics manually.

Key dates

02Disclosure timeline

March 6, 2023 CVE published

February 25, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-25169 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2023-25169: Yearly Review Plugin leaking anonymised users data in discourse-yearly-review

01Description

02Disclosure timeline

03References

04Related CVE