Discourse Vulnerabilities

This vulnerability allows an attacker to access private user information, such as phone numbers and addresses, from all users in a Discourse forum, even if they are not logged in. It occurs because the system does not properly check permissions for certain user data fields, making it easy for anyone to exploit this flaw and collect sensitive information.

This vulnerability allows any authenticated user to manipulate policies on posts they shouldn't be able to access, including private posts, and to discover which posts have policies based on error messages. It affects users of the discourse platform who have the `discourse-policy` plugin enabled and can be fixed by upgrading to the latest versions or disabling the plugin altogether.

An attacker can send fake webhook messages to a Discourse site, allowing them to create, change, or delete Patreon pledge data if the site's webhook secret is left blank. To prevent this, it's crucial to set a strong, non-empty webhook secret in the site settings.

This vulnerability allows attackers to send fake data to certain email service integrations on the Discourse platform, which can lead to legitimate user emails being mistakenly marked as undeliverable. It occurs when no authentication token is set up, meaning attackers can exploit this weakness without needing any special access.