CVE-2023-49098 - OpenCVE

Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Discourse	Discourse Reactions

Configuration 1 [-]

cpe:2.3:a:discourse:discourse_reactions:*:*:*:*:*:discourse:*:*

No data.

References

Link	Providers
https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc
https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-12T20:37:26.516Z

Updated: 2024-08-02T21:46:29.128Z

Reserved: 2023-11-21T18:57:30.430Z

Link: CVE-2023-49098

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-12T21:15:09.540

Modified: 2024-01-25T15:44:43.440

Link: CVE-2023-49098

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49098", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-21T18:57:30.430Z", "datePublished": "2024-01-12T20:37:26.516Z", "dateUpdated": "2024-08-02T21:46:29.128Z"}, "containers": {"cna": {"title": "Reaction data for user notifications exposed in Discourse-reactions", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8"}, {"name": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc"}], "affected": [{"vendor": "discourse", "product": "discourse-reactions", "versions": [{"version": "< commit 2c26939", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-12T20:37:26.516Z"}, "descriptions": [{"lang": "en", "value": "Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939."}], "source": {"advisory": "GHSA-mq82-7v5x-rhv8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:29.128Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8"}, {"name": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse_reactions:*:*:*:*:*:discourse:*:*", "matchCriteriaId": "6D7031E2-271E-43D4-98C0-21804A0D5358", "versionEndIncluding": "0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939."}, {"lang": "es", "value": "Discourse-reactions es un complemento que permite al usuario agregar sus reacciones a la publicaci\u00f3n. Los datos sobre las notificaciones de reacci\u00f3n de un usuario podr\u00edan quedar expuestos. Esta vulnerabilidad fue parcheada en el commit 2c26939."}], "id": "CVE-2023-49098", "lastModified": "2024-01-25T15:44:43.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-12T21:15:09.540", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}