Discourse's exclude_tags param could leak which topics had a specific hidden tag
Description
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the stable branch and version 3.1.0.beta2 on the beta and tests-passed branches, someone can use the exclude_tag param to filter out topics and deduce which ones were using a specific hidden tag. This affects any Discourse site using hidden tags in public categories. This issue is patched in version 3.0.1 on the stable branch and version 3.1.0.beta2 on the beta and tests-passed branches. As a workaround, secure any categories that are using hidden tags, change any existing hidden tags to not include private data, or remove any hidden tags currently in use.
Affected products
1- Range: < 3.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/discourse/discourse/commit/f55e0fe7910149c431861c18ce407d1be0d6091amitrex_refsource_MISC
- github.com/discourse/discourse/pull/20006mitrex_refsource_MISC
- github.com/discourse/discourse/security/advisories/GHSA-qgj5-g5vf-fm7qmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.