CVE-2024-36122 LOW

CVE-2024-36122: Discourse doesn't limit reviewable user serializer payload

Vendor Discourse
Product discourse
Weakness CWE-200 · Info exposure
Published July 3, 2024
Last update August 2, 2024

CVSS base score

2.4/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses setting is disabled. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. As possible workarounds, either prevent moderators from accessing the review queue or disable the approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue.

Key dates

02Disclosure timeline

July 3, 2024 CVE published
August 2, 2024 Record updated