Vulnerability Details : CVE-2023-30611
Discourse-reactions is a plugin that allows user to add their reactions to the post in the Discourse messaging platform. In affected versions data about what reactions were performed on a post in a private topic could be leaked. This issue has been addressed in version 0.3. Users are advised to upgrade. Users unable to upgrade should disable the discourse-reactions plugin to fully mitigate the issue.
Vulnerability category: Information leak
Products affected by CVE-2023-30611
- cpe:2.3:a:discourse:reactions:0.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-30611
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 41 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-30611
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2023-30611
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-30611
-
https://github.com/discourse/discourse-reactions/commit/01aca15b2774c088f3673118e92e9469f37d2fb6
SECURITY: Publish reactions based on topic permissions (#218) · discourse/discourse-reactions@01aca15 · GitHubPatch
-
https://github.com/discourse/discourse-reactions/security/advisories/GHSA-4cgc-c7vh-94g6
Reaction metadata exposed in private topics · Advisory · discourse/discourse-reactions · GitHubVendor Advisory
Jump to