{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-46813", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-30T19:41:58.133Z", "datePublished": "2025-05-05T20:03:46.289Z", "dateUpdated": "2025-05-06T13:44:48.303Z"}, "containers": {"cna": {"title": "Private data leak on login-required Discourse sites", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-v3h7-c287-pfg9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-v3h7-c287-pfg9"}, {"name": "https://github.com/discourse/discourse/commit/10df7fdee060d44accdee7679d66d778d1136510", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/10df7fdee060d44accdee7679d66d778d1136510"}, {"name": "https://github.com/discourse/discourse/commit/82d84af6b0efbd9fa2aeec3e91ce7be1a768511b", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/82d84af6b0efbd9fa2aeec3e91ce7be1a768511b"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 10df7fdee060d44accdee7679d66d778d1136510, <= 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-05T20:03:46.289Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source community platform. A data leak vulnerability affects sites deployed between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. On login-required sites, the leak meant that some content on the site's homepage could be visible to unauthenticated users. Only login-required sites that got deployed during this timeframe are affected, roughly between April 30 2025 noon EDT and May 2 2025, noon EDT. Sites on the stable branch are unaffected. Private content on an instance's homepage could be visible to unauthenticated users on login-required sites. Versions of 3.5.0.beta4 after commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b are not vulnerable to the issue. No workarounds are available. Sites must upgrade to a non-vulnerable version of Discourse."}], "source": {"advisory": "GHSA-v3h7-c287-pfg9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-06T13:44:37.711180Z", "id": "CVE-2025-46813", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-06T13:44:48.303Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-46813", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-06T13:44:37.711180Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-06T13:44:44.525Z"}}], "cna": {"title": "Private data leak on login-required Discourse sites", "source": {"advisory": "GHSA-v3h7-c287-pfg9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 10df7fdee060d44accdee7679d66d778d1136510, <= 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-v3h7-c287-pfg9", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-v3h7-c287-pfg9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/10df7fdee060d44accdee7679d66d778d1136510", "name": "https://github.com/discourse/discourse/commit/10df7fdee060d44accdee7679d66d778d1136510", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/82d84af6b0efbd9fa2aeec3e91ce7be1a768511b", "name": "https://github.com/discourse/discourse/commit/82d84af6b0efbd9fa2aeec3e91ce7be1a768511b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source community platform. A data leak vulnerability affects sites deployed between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. On login-required sites, the leak meant that some content on the site's homepage could be visible to unauthenticated users. Only login-required sites that got deployed during this timeframe are affected, roughly between April 30 2025 noon EDT and May 2 2025, noon EDT. Sites on the stable branch are unaffected. Private content on an instance's homepage could be visible to unauthenticated users on login-required sites. Versions of 3.5.0.beta4 after commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b are not vulnerable to the issue. No workarounds are available. Sites must upgrade to a non-vulnerable version of Discourse."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-05T20:03:46.289Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46813", "state": "PUBLISHED", "dateUpdated": "2025-05-06T13:44:48.303Z", "dateReserved": "2025-04-30T19:41:58.133Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-05T20:03:46.289Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*", "matchCriteriaId": "A0A6583A-A8AE-4C05-8947-79A0E4A73E1D", "versionEndExcluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:3.5.0:beta1:*:*:beta:*:*:*", "matchCriteriaId": "66931995-F794-48F0-9DBB-9048B6C9D8DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:3.5.0:beta2:*:*:beta:*:*:*", "matchCriteriaId": "B0461B93-273C-4305-80F9-C70A100B4DFE", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:3.5.0:beta3:*:*:beta:*:*:*", "matchCriteriaId": "F1596D4E-FD8B-4443-AAAE-1D4AC6B1CE6D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source community platform. A data leak vulnerability affects sites deployed between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. On login-required sites, the leak meant that some content on the site's homepage could be visible to unauthenticated users. Only login-required sites that got deployed during this timeframe are affected, roughly between April 30 2025 noon EDT and May 2 2025, noon EDT. Sites on the stable branch are unaffected. Private content on an instance's homepage could be visible to unauthenticated users on login-required sites. Versions of 3.5.0.beta4 after commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b are not vulnerable to the issue. No workarounds are available. Sites must upgrade to a non-vulnerable version of Discourse."}, {"lang": "es", "value": "Discourse es una plataforma comunitaria de c\u00f3digo abierto. Una vulnerabilidad de fuga de datos afecta a los sitios implementados entre los commits 10df7fdee060d44accdee7679d66d778d1136510 y 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. En los sitios que requieren inicio de sesi\u00f3n, la fuga de datos provoc\u00f3 que parte del contenido de la p\u00e1gina principal del sitio fuera visible para usuarios no autenticados. Solo los sitios que requieren inicio de sesi\u00f3n implementados durante este periodo se vieron afectados, aproximadamente entre el 30 de abril de 2025 al mediod\u00eda EDT y el 2 de mayo de 2025 al mediod\u00eda EDT. Los sitios de la rama estable no se vieron afectados. El contenido privado de la p\u00e1gina principal de una instancia podr\u00eda ser visible para usuarios no autenticados en sitios que requieren inicio de sesi\u00f3n. Las versiones de 3.5.0.beta4 posteriores a la confirmaci\u00f3n 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b no son vulnerables al problema. No hay workarounds disponibles. Los sitios deben actualizar a una versi\u00f3n de Discourse no vulnerable."}], "id": "CVE-2025-46813", "lastModified": "2025-09-26T12:54:49.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-05T20:15:21.753", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/10df7fdee060d44accdee7679d66d778d1136510"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/82d84af6b0efbd9fa2aeec3e91ce7be1a768511b"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-v3h7-c287-pfg9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"created": "2025-06-23T19:31:58.570078+00:00", "updated": "2025-06-23T19:31:58.570171+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}