CVE-2022-41944: Discourse users can see notifications for topics they no longer have access to

First published: Mon Nov 28 2022(Updated: )

Discourse is an open-source discussion platform. In stable versions prior to 2.8.12 and beta or tests-passed versions prior to 2.9.0.beta.13, under certain conditions, a user can see notifications for topics they no longer have access to. If there is sensitive information in the topic title, it will therefore have been exposed. This issue is patched in stable version 2.8.12, beta version 2.9.0.beta13, and tests-passed version 2.9.0.beta13. There are no workarounds available.

Credit: security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/references
• agent/type
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• agent/author
• agent/last-modified-date
• agent/remedy
• agent/severity
• agent/weakness
• agent/title
• agent/first-publish-date
• agent/tags
• agent/description
• agent/event
• vendor/discourse
• canonical/discourse discourse
• version/discourse discourse/2.8.11
• version/discourse discourse/2.9.0-beta1
• version/discourse discourse/2.9.0-beta10
• version/discourse discourse/2.9.0-beta11
• version/discourse discourse/2.9.0-beta12
• version/discourse discourse/2.9.0-beta2
• version/discourse discourse/2.9.0-beta3
• version/discourse discourse/2.9.0-beta4
• version/discourse discourse/2.9.0-beta5
• version/discourse discourse/2.9.0-beta6
• version/discourse discourse/2.9.0-beta7
• version/discourse discourse/2.9.0-beta8
• version/discourse discourse/2.9.0-beta9