CVE-2025-49845 Information

Description

Discourse is an open-source discussion platform. The visibility of posts typed whisper is controlled via the whispers_allowed_groups site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed whisper. However it has been discovered that users of versions prior to 3.4.6 on the stable branch and prior to 3.5.0.beta8-dev on the tests-passed branch can continue to see their own whispers even after losing visibility of posts typed whisper. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available.

Reference

https://github.com/discourse/discourse/security/advisories/GHSA-79qw-r73r-69gf

Related CNNVD

CNNVD-202506-3177 (Published: 2025-06-25)