CVE-2022-24866 is a vulnerability in Discourse Assign
Published on April 26, 2022
Exposure of Sensitive Information to an Unauthorized Actor in Discourse Assign
Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.
Vulnerability Analysis
CVE-2022-24866 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2022-24866 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2022-24866
Want to know whenever a new CVE is published for Discourse Assign? stack.watch will email you.
Affected Versions
discourse-assign Version < 1.0.1 is affected by CVE-2022-24866Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.