Vulnerabilities > CVE-2022-31095 - Missing Authorization vulnerability in Discourse Discourse-Chat 0.3

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

discourse

CWE-862

NVD

Published: 2022-06-21

Updated: 2023-07-24

Summary

discourse-chat is a chat plugin for the Discourse application. Versions prior to 0.4 are vulnerable to an exposure of sensitive information, where an attacker who knows the message ID for a channel they do not have access to can view that message using the chat message lookup endpoint, primarily affecting direct message channels. There are no known workarounds for this issue, and users are advised to update the plugin.

Vulnerable Configurations

Part	Description	Count
Application	Discourse Discourse Discourse Chat - Discourse Discourse Chat 0.3	2

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://github.com/discourse/discourse-chat/security/advisories/GHSA-r979-jhp2-3f6h