CVE-2023-23624

Discourse's exclude_tags param could leak which topics had a specific hidden tag

Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches, someone can use the `exclude_tag param` to filter out topics and deduce which ones were using a specific hidden tag. This affects any Discourse site using hidden tags in public categories. This issue is patched in version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches. As a workaround, secure any categories that are using hidden tags, change any existing hidden tags to not include private data, or remove any hidden tags currently in use.


We have discovered 1,166 live websites that are affected by CVE-2023-23624.

Contact us to get more info




Affected Software

Product  Discourse
Category Message Boards
Vulnerable Domains1,166 live websites (22.32% of Discourse install base)
Vulnerable Versions
  • from 0 before 3.0.1
Vulnerable Versions Count72 versions ( 75.79% of all versions)


Common Weakness Enumeration

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor



Details

  • Published - Jan 27, 2023
  • Updated - Aug 2, 2024

CVE-2023-23624 usage by Country

United States799 websites



Germany94 websites
France52 websites
Singapore35 websites
China26 websites
GB18 websites
Brazil11 websites
Netherlands11 websites
Switzerland10 websites

CVE-2023-23624 usage by TLD

.com490 websites
.org187 websites
.io59 websites
.net50 websites
.de25 websites
.fr15 websites
.co14 websites
.ru12 websites
.eu11 websites
.com.br10 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2023-23624

Top websites that are affected by CVE-2023-23624. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
*********.***.com France*,***
*********.*******.org United States**,***
******.********.com United States**,***
*********.***************.com United States**,***
*********.**********.de Germany***,***
*********.*********.com ***,***
*********.**********.io United States***,***
***.***********.org Germany***,***
*****.******.com United States***,***
***********.net United States***,***
See full domain list

FAQ

CVE-2023-23624 is Exposure of Sensitive Information to an Unauthorized Actor in Discourse
A total of 1,166 websites have been identified as vulnerable to CVE-2023-23624, discovered through global website indexing conducted by WebTechSurvey.
Discourse is susceptible to CVE-2023-23624 vulnerability.
Discourse versions before 3.0.1 are vulnerable to CVE-2023-23624.
Version 3.0.1 of Discourse addresses the CVE-2023-23624 security vulnerability.