Platform
discourse
Component
discourse
Fixed in
3.3.3
3.4.1
CVE-2024-45297 describes an information disclosure vulnerability in Discourse, an open-source community discussion platform. This flaw allows attackers to view topics marked with a hidden tag if they possess knowledge of the tag's label or name. The vulnerability impacts versions of Discourse up to and including 3.3.2, and a patch has been released in the latest stable, beta, and tests-passed versions.
The primary impact of CVE-2024-45297 is the unauthorized exposure of sensitive or private topics within a Discourse community. An attacker who knows the label of a hidden tag can bypass the intended access restrictions and view the associated content. This could lead to the disclosure of confidential information, internal discussions, or other data that should not be publicly accessible. The potential damage depends on the nature of the hidden topics and the sensitivity of the information they contain. While not a direct RCE or data breach, this vulnerability can be a stepping stone for further attacks or reputational damage.
CVE-2024-45297 was publicly disclosed on 2024-10-07. As of this writing, there are no known public proof-of-concept exploits available. The vulnerability is not currently listed on CISA KEV. The probability of exploitation is considered low due to the lack of public exploits and the relatively straightforward mitigation (upgrade).
Exploit Status
EPSS
0.47% (64% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2024-45297 is to immediately upgrade Discourse to the latest stable, beta, or tests-passed version. There are no known workarounds for this vulnerability beyond upgrading. Ensure that your Discourse instance is regularly updated to benefit from the latest security patches and improvements. After upgrading, verify the fix by attempting to access a hidden topic using a known tag label; access should be denied if the upgrade was successful.
Actualice Discourse a la última versión estable, beta o tests-passed. Esto solucionará la vulnerabilidad que permite a usuarios no autorizados filtrar la lista de temas por etiquetas ocultas.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-45297 is a vulnerability in Discourse where attackers can view hidden topics if they know the tag label, impacting versions ≤ 3.3.2.
Yes, if you are running Discourse version 3.3.2 or earlier, you are affected by this information disclosure vulnerability.
Upgrade Discourse to the latest stable, beta, or tests-passed version. There are no known workarounds besides upgrading.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the official Discourse security announcement on their website for details: https://blog.discourse.org/topic/95338-security-notice-cve-2024-45297
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.