Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-25169

discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit `b3ab33bbf7` which is included in the latest version of the Discourse Yearly Review plugin. Users are advised to upgrade. Users unable to upgrade may disable the `yearly_review_enabled` setting to fully mitigate the issue. Also, it's possible to edit the anonymised user's old data in the yearly review topics manually.

Published

2023-03-06T18:15:10.473

Last Modified

2024-11-21T07:49:14.607

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.1 (LOW)

Weaknesses

Type: Secondary
CWE-200
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	discourse	discourse_yearly_review	< 0.2	Yes

References

https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c Patch ([email protected])
https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7 Mitigation, Vendor Advisory ([email protected])
https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)