CVE-2024-31219

The Discourse-reactions plugin for Discourse allows users to react to posts with emojis. A vulnerability exists in the /u/:username/activity/reactions endpoint that leaks the content of whisper posts and associated reaction data when whispers are enabled on a site via the whispers_allowed_groups setting and reactions are made on whispers within public topics. The root cause is that the endpoint fails to filter out whisper posts from the results, as shown in the patch which adds joins to exclude whispers [1].

An attacker can exploit this vulnerability by simply navigating to the reactions given user activity page of any user who has reacted to a whisper on a public topic. No authentication is required beyond being a logged-in user, and no user interaction is needed. The attack vector is over the network with low complexity [2].

The impact is a high confidentiality breach: the contents of whispers, which are intended to be private to specific groups, are exposed along with reaction data. Integrity and availability are not affected. This could lead to disclosure of sensitive information discussed in whispers.

The vulnerability has been patched in version 0.5 of the discourse-reactions plugin, as implemented in commit [1]. Users are advised to upgrade to the latest version. No workarounds are mentioned, but disabling whispers or the reactions plugin could mitigate the issue.