CVE-2022-24866 Information

Description

Discourse Assign is a plugin for assigning users to a topic in Discourse an open-source messaging platform. Prior to version 1.0.1 the UserBookmarkSerializer serialized the whole User / Group object which leaked some private information. The data was only being serialized to people who could view assignment info which is limited to staff by default. For the vast majority of sites this data was only leaked to trusted staff member but for sites with assign features enabled publicly the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Reference

https://github.com/discourse/discourse-assign/pull/320 https://github.com/discourse/discourse-assign/security/advisories/GHSA-9xhf-wvjx-f5w9

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

4.3