Reaction data for user notifications exposed in Discourse-reactions

Vulnerability

In the discourse-reactions plugin, the endpoints reactions_given and reactions_received in app/controllers/discourse_reactions incorrectly used guardian.can_see_profile?(user) to authorize access. This allowed any authenticated user to retrieve reaction notification data for any other user. The vulnerability affects all versions before commit 2c26939 [1][2].

Exploitation

An authenticated attacker can send requests to /discourse-reactions/posts/reactions.json with a target username parameter without needing any special privileges or user interaction. The attacker only needs a valid session on the Discourse instance [1][2].

Impact

Successful exploitation exposes the target user's reaction notifications, including which posts they reacted to and the type of reaction. This can leak information about user activity, potentially including posts in private categories, constituting a confidentiality breach [1][2].

Mitigation

The fix was implemented in commit 2c26939 [1], which changed the authorization check from can_see_profile? to can_see_notifications?. Users should update the discourse-reactions plugin to include this commit. No workarounds are available; upgrading is required [1][2].