Vulnerability Description
Discourse is an open source platform for community discussion. Attackers with details specific to a poll in a topic can use the `/polls/grouped_poll_results` endpoint to view the content of options in the poll and the number of votes for groups of poll participants. This impacts private polls where the results were intended to only be viewable by authorized users. This issue is patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. There is no workaround for this issue apart from upgrading to the fixed version.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | <= 3.1.1 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse/security/advisories/GHSA-3x57-846g-7qcwVendor Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-3x57-846g-7qcwVendor Advisory
FAQ
What is CVE-2023-43814?
CVE-2023-43814 is a vulnerability with a CVSS score of 3.7 (LOW). Discourse is an open source platform for community discussion. Attackers with details specific to a poll in a topic can use the `/polls/grouped_poll_results` endpoint to view the content of options in...
How severe is CVE-2023-43814?
CVE-2023-43814 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-43814?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.