CVE-2024-24755 MEDIUM

CVE-2024-24755: discourse-group-membership-ip-block is exposing potentially sensitive custom fields

Vendor Discourse
Product discourse-group-membership-ip-block
Weakness CWE-200 · Info exposure
Published February 1, 2024
Last update August 1, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom fields to remain secret.

Key dates

02Disclosure timeline

February 1, 2024 CVE published
August 1, 2024 Record updated