CVE-2025-49845

Discourse is an open-source discussion platform. The visibility of posts typed `whisper` is controlled via the `whispers_allowed_groups` site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed `whisper`. However, it has been discovered that users of versions prior to 3.4.6 on the `stable` branch and prior to 3.5.0.beta8-dev on the `tests-passed` branch can continue to see their own whispers even after losing visibility of posts typed `whisper`. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-79qw-r73r-69gf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*

History

25 Aug 2025, 15:13

Type	Values Removed	Values Added
First Time		Discourse discourse Discourse
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-79qw-r73r-69gf -~~	() https://github.com/discourse/discourse/security/advisories/GHSA-79qw-r73r-69gf - Vendor Advisory
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:discourse:discourse:::::stable:::*

26 Jun 2025, 18:57

Type	Values Removed	Values Added
Summary		(es) Discourse es una plataforma de discusión de código abierto. La visibilidad de las publicaciones con el tipo "whisper" se controla mediante la configuración del sitio "whispers_allowed_groups". Solo los usuarios que pertenecen a los grupos especificados en la configuración del sitio pueden ver las publicaciones con este tipo. Sin embargo, se ha descubierto que los usuarios de versiones anteriores a la 3.4.6 en la rama "stable" y anteriores a la 3.5.0.beta8-dev en la rama "tests-passed" pueden seguir viendo sus propios "whisper" incluso después de perder la visibilidad de las publicaciones con este tipo. Este problema se ha corregido en las versiones 3.4.6 y 3.5.0.beta8-dev. No se conocen soluciones alternativas.

25 Jun 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-25 16:15

Updated : 2025-08-25 15:13

NVD link : CVE-2025-49845

Mitre link : CVE-2025-49845

CVE.ORG link : CVE-2025-49845

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

7.5 /10