CVE-2023-49098 - Vulnerability Details - OpenCVE

Description

Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939.

Published: 2024-01-12

Score: 3.5 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

discourse

discourse-reactions

affected

Version	Status	Constraints
`< commit 2c26939`	affected	—

Configuration 1 [-]

cpe:2.3:a:discourse:discourse_reactions:*:*:*:*:*:discourse:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-53107	Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00177.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc
https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8

History

Tue, 03 Jun 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Discourse Discourse Reactions

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-12T20:37:26.516Z

Updated: 2025-06-03T14:04:02.387Z

Reserved: 2023-11-21T18:57:30.430Z

Link: CVE-2023-49098

Vulnrichment

Updated: 2024-08-02T21:46:29.128Z

NVD

Status : Modified

Published: 2024-01-12T21:15:09.540

Modified: 2024-11-21T08:32:49.160

Link: CVE-2023-49098

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-284

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49098", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-21T18:57:30.430Z", "datePublished": "2024-01-12T20:37:26.516Z", "dateUpdated": "2025-06-03T14:04:02.387Z"}, "containers": {"cna": {"title": "Reaction data for user notifications exposed in Discourse-reactions", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8"}, {"name": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc"}], "affected": [{"vendor": "discourse", "product": "discourse-reactions", "versions": [{"version": "< commit 2c26939", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-12T20:37:26.516Z"}, "descriptions": [{"lang": "en", "value": "Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939."}], "source": {"advisory": "GHSA-mq82-7v5x-rhv8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:29.128Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8"}, {"name": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T19:10:06.662608Z", "id": "CVE-2023-49098", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-03T14:04:02.387Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "name": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "name": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:29.128Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-49098", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-08T19:10:06.662608Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T19:10:08.273Z"}}], "cna": {"title": "Reaction data for user notifications exposed in Discourse-reactions", "source": {"advisory": "GHSA-mq82-7v5x-rhv8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse-reactions", "versions": [{"status": "affected", "version": "< commit 2c26939"}]}], "references": [{"url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "name": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "name": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-12T20:37:26.516Z"}}}, "cveMetadata": {"cveId": "CVE-2023-49098", "state": "PUBLISHED", "dateUpdated": "2025-06-03T14:04:02.387Z", "dateReserved": "2023-11-21T18:57:30.430Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-12T20:37:26.516Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse_reactions:*:*:*:*:*:discourse:*:*", "matchCriteriaId": "6D7031E2-271E-43D4-98C0-21804A0D5358", "versionEndIncluding": "0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939."}, {"lang": "es", "value": "Discourse-reactions es un complemento que permite al usuario agregar sus reacciones a la publicaci\u00f3n. Los datos sobre las notificaciones de reacci\u00f3n de un usuario podr\u00edan quedar expuestos. Esta vulnerabilidad fue parcheada en el commit 2c26939."}], "id": "CVE-2023-49098", "lastModified": "2024-11-21T08:32:49.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-12T21:15:09.540", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}