CVE-2023-49098 - Vulnerability Details - OpenCVE

Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00177.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Discourse	Discourse Reactions

Configuration 1 [-]

cpe:2.3:a:discourse:discourse_reactions:*:*:*:*:*:discourse:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-53107	Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc
https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8

History

Tue, 03 Jun 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-12T20:37:26.516Z

Updated: 2025-06-03T14:04:02.387Z

Reserved: 2023-11-21T18:57:30.430Z

Link: CVE-2023-49098

Vulnrichment

Updated: 2024-08-02T21:46:29.128Z

NVD

Status : Modified

Published: 2024-01-12T21:15:09.540

Modified: 2024-11-21T08:32:49.160

Link: CVE-2023-49098

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49098", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-21T18:57:30.430Z", "datePublished": "2024-01-12T20:37:26.516Z", "dateUpdated": "2025-06-03T14:04:02.387Z"}, "containers": {"cna": {"title": "Reaction data for user notifications exposed in Discourse-reactions", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8"}, {"name": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc"}], "affected": [{"vendor": "discourse", "product": "discourse-reactions", "versions": [{"version": "< commit 2c26939", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-12T20:37:26.516Z"}, "descriptions": [{"lang": "en", "value": "Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939."}], "source": {"advisory": "GHSA-mq82-7v5x-rhv8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:29.128Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8"}, {"name": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T19:10:06.662608Z", "id": "CVE-2023-49098", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-03T14:04:02.387Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "name": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "name": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:29.128Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-49098", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-08T19:10:06.662608Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T19:10:08.273Z"}}], "cna": {"title": "Reaction data for user notifications exposed in Discourse-reactions", "source": {"advisory": "GHSA-mq82-7v5x-rhv8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse-reactions", "versions": [{"status": "affected", "version": "< commit 2c26939"}]}], "references": [{"url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "name": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "name": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-12T20:37:26.516Z"}}}, "cveMetadata": {"cveId": "CVE-2023-49098", "state": "PUBLISHED", "dateUpdated": "2025-06-03T14:04:02.387Z", "dateReserved": "2023-11-21T18:57:30.430Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-12T20:37:26.516Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse_reactions:*:*:*:*:*:discourse:*:*", "matchCriteriaId": "6D7031E2-271E-43D4-98C0-21804A0D5358", "versionEndIncluding": "0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939."}, {"lang": "es", "value": "Discourse-reactions es un complemento que permite al usuario agregar sus reacciones a la publicaci\u00f3n. Los datos sobre las notificaciones de reacci\u00f3n de un usuario podr\u00edan quedar expuestos. Esta vulnerabilidad fue parcheada en el commit 2c26939."}], "id": "CVE-2023-49098", "lastModified": "2024-11-21T08:32:49.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-12T21:15:09.540", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}