CVE-2023-25169
CVSS V2 None
CVSS V3 None
Description
discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit `b3ab33bbf7` which is included in the latest version of the Discourse Yearly Review plugin. Users are advised to upgrade. Users unable to upgrade may disable the `yearly_review_enabled` setting to fully mitigate the issue. Also, it's possible to edit the anonymised user's old data in the yearly review topics manually.
Overview
- CVE ID
- CVE-2023-25169
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2023-03-06T18:15:10
- Last Modified Date
- 2023-03-13T17:51:25
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:discourse:discourse_yearly_review:*:*:*:*:*:discourse:*:* | 1 | OR | 0.2 |
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c | Patch |
| https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7 | Mitigation Vendor Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-25169 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25169 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2023-04-17 05:59:30 | Added to TrackCVE | |||
| 2023-04-17 05:59:32 | Weakness Enumeration | new |