Vulnerability Details : CVE-2022-24866
Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.
Vulnerability category: Information leak
Exploit prediction scoring system (EPSS) score for CVE-2022-24866
Probability of exploitation activity in the next 30 days: 0.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 15 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-24866
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
[email protected] |
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
[email protected] |
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
[email protected] |
CWE ids for CVE-2022-24866
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by:
- [email protected] (Primary)
- [email protected] (Secondary)
References for CVE-2022-24866
-
https://github.com/discourse/discourse-assign/security/advisories/GHSA-9xhf-wvjx-f5w9
Third Party Advisory
-
https://github.com/discourse/discourse-assign/pull/320
Issue Tracking;Patch;Third Party Advisory
Products affected by CVE-2022-24866
- cpe:2.3:a:discourse:assign:*:*:*:*:*:discourse:*:*