5.3
CVE-2023-25169
- EPSS 0.44%
- Veröffentlicht 06.03.2023 18:15:10
- Zuletzt bearbeitet 21.11.2024 07:49:14
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginYearly Review Plugin leaking anonymised users data in discourse-yearly-review
discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit `b3ab33bbf7` which is included in the latest version of the Discourse Yearly Review plugin. Users are advised to upgrade. Users unable to upgrade may disable the `yearly_review_enabled` setting to fully mitigate the issue. Also, it's possible to edit the anonymised user's old data in the yearly review topics manually.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Discourse ≫ Discourse Yearly Review SwPlatformdiscourse Version < 0.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.44% | 0.349 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| security-advisories@github.com | 3.1 | 1.6 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c
https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7