What is CVE-2023-34250?

CVE-2023-34250 is a vulnerability in the Discourse open source discussion platform that allows an attacker to reveal the number of recently created topics.

How severe is CVE-2023-34250?

CVE-2023-34250 has a severity rating of 5.3, which is considered medium.

What is the affected software of CVE-2023-34250?

CVE-2023-34250 affects Discourse versions up to and including 3.0.4 of the 'stable' branch and version 3.1.0-beta1 to 3.1.0-beta4 of the 'beta' and 'tests-passed' branches.

Is there a fix for CVE-2023-34250?

Yes, upgrading to version 3.0.4 of the 'stable' branch or version 3.1.0.beta5 of the 'beta' and 'tests-passed' branches will fix CVE-2023-34250.

Vulnerability/
CVE-2023-34250

medium

5.3

CWE

668 200

13/6/2023

22/6/2023

CVE-2023-34250: Infoleak

Q: How can an attacker exploit CVE-2023-34250?

An attacker can exploit CVE-2023-34250 by using the new topics dismissal endpoint to reveal the number of topics recently created, but not the actual content.

First published: Tue Jun 13 2023(Updated: )

Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, an attacker could use the new topics dismissal endpoint to reveal the number of topics recently created (but not the actual content thereof) in categories they didn't have access to. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. There are no known workarounds.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Discourse Discourse	<3.0.4
Discourse Discourse	=3.1.0-beta1
Discourse Discourse	=3.1.0-beta2
Discourse Discourse	=3.1.0-beta3
Discourse Discourse	=3.1.0-beta4

Never miss a vulnerability like this again

Reference Links

https://github.com/discourse/discourse/security/advisories/GHSA-q8m5-wmjr-3ppg

Frequently Asked Questions

What is CVE-2023-34250?
CVE-2023-34250 is a vulnerability in the Discourse open source discussion platform that allows an attacker to reveal the number of recently created topics.
How severe is CVE-2023-34250?
CVE-2023-34250 has a severity rating of 5.3, which is considered medium.
What is the affected software of CVE-2023-34250?
CVE-2023-34250 affects Discourse versions up to and including 3.0.4 of the 'stable' branch and version 3.1.0-beta1 to 3.1.0-beta4 of the 'beta' and 'tests-passed' branches.
How can an attacker exploit CVE-2023-34250?
An attacker can exploit CVE-2023-34250 by using the new topics dismissal endpoint to reveal the number of topics recently created, but not the actual content.
Is there a fix for CVE-2023-34250?
Yes, upgrading to version 3.0.4 of the 'stable' branch or version 3.1.0.beta5 of the 'beta' and 'tests-passed' branches will fix CVE-2023-34250.

collector/nvd-index
agent/references
agent/severity
agent/author
agent/type
vendor/discourse
canonical/discourse discourse
version/discourse discourse/3.1.0-beta1
version/discourse discourse/3.1.0-beta2
version/discourse discourse/3.1.0-beta3
version/discourse discourse/3.1.0-beta4

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.