Vulnerability from bitnami_vulndb
Published
2024-07-09 08:43
Modified
2025-05-20 10:02
Summary
Discourse doesn't limit reviewable user serializer payload
Details

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the stable branch and version 3.3.0.beta4 on the beta and tests-passed branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses setting is disabled. This issue is patched in version 3.2.3 on the stable branch and version 3.3.0.beta4 on the beta and tests-passed branches. As possible workarounds, either prevent moderators from accessing the review queue or disable the approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue.

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "discourse",
        "purl": "pkg:bitnami/discourse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.3"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36122"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses setting is disabled. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. As possible workarounds, either prevent moderators from accessing the review queue or disable the approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue.",
  "id": "BIT-discourse-2024-36122",
  "modified": "2025-05-20T10:02:07.006Z",
  "published": "2024-07-09T08:43:07.853Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/discourse/discourse/commit/8d5b21170efa4766e1a213ff07dc36d36cf3dfb4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/discourse/discourse/commit/e2a7265dba3d9e943338db21ca38c50276b22f47"
    },
    {
      "type": "WEB",
      "url": "https://github.com/discourse/discourse/security/advisories/GHSA-rr93-hcw4-cv3f"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36122"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "Discourse doesn\u0027t limit reviewable user serializer payload"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.