CVE-2021-32788

Post creator of a whisper post can be revealed to non-staff users in Discourse

Description

Discourse is an open source discussion platform. In versions prior to 2.7.7 there are two bugs which led to the post creator of a whisper post being revealed to non-staff users. 1: Staff users that creates a whisper post in a personal message is revealed to non-staff participants of the personal message even though the whisper post cannot be seen by them. 2: When a whisper post is before the last post in a post stream, deleting the last post will result in the creator of the whisper post to be revealed to non-staff users as the last poster of the topic.

Category

4.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.48%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: discourse discourse
Published at:
Updated at:

References

Link Tags
https://github.com/discourse/discourse/security/advisories/GHSA-v6xg-q577-vc92 third party advisory
https://github.com/discourse/discourse/commit/680024f9071b7696e5a444a58791016c6dc1f1e5 third party advisory patch
https://github.com/discourse/discourse/commit/dbdf61196d9e964e8823793d2e7f856595fea4d9 third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-32788?
CVE-2021-32788 has been scored as a medium severity vulnerability.
How to fix CVE-2021-32788?
To fix CVE-2021-32788, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-32788 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-32788 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-32788?
CVE-2021-32788 affects discourse discourse.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.