Approved changes feed: RSS · Atom
cpe:2.3:a:discourse:assign:*:*:*:*:*:discourse:*:*
part: a version: * update: *
| Vendor | Discourse (2d3c125b-857a-5933-b846-ed7f9d5e0225) |
|---|---|
| Product | Assign (d8e0de86-127b-5151-a39c-09581d1610e1) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | discourse |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2022-24866 |
vulnerable | 2026-06-03 14:46:36.490836 |
Exposure of Sensitive Information to an Unauthorized Actor in Discourse Assign
MEDIUM (4.3)
Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.
Published: 2022-04-26T18:45:12.000Z
Updated: 2025-04-23T18:32:16.933Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.