Unrated severityNVD Advisory· Published Jan 27, 2023· Updated Mar 10, 2025
Discourse's exclude_tags param could leak which topics had a specific hidden tag
CVE-2023-23624
Description
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the stable branch and version 3.1.0.beta2 on the beta and tests-passed branches, someone can use the exclude_tag param to filter out topics and deduce which ones were using a specific hidden tag. This affects any Discourse site using hidden tags in public categories. This issue is patched in version 3.0.1 on the stable branch and version 3.1.0.beta2 on the beta and tests-passed branches. As a workaround, secure any categories that are using hidden tags, change any existing hidden tags to not include private data, or remove any hidden tags currently in use.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3<3.0.1 (stable), <3.1.0.beta2 (beta)+ 1 more
- (no CPE)range: <3.0.1 (stable), <3.1.0.beta2 (beta)
- (no CPE)range: < 3.0.1
Patches
Vulnerability mechanics
References
3- github.com/discourse/discourse/commit/f55e0fe7910149c431861c18ce407d1be0d6091amitrex_refsource_MISC
- github.com/discourse/discourse/pull/20006mitrex_refsource_MISC
- github.com/discourse/discourse/security/advisories/GHSA-qgj5-g5vf-fm7qmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.