by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
5 packages
- discourse-mail-receiver
- python312Packages.pydiscourse
- python313Packages.pydiscourse
- python314Packages.pydiscourse
- grafanaPlugins.grafana-discourse-datasource
- @LeSuisse accepted
- @LeSuisse published on GitHub
Discourse doesn't prevent moderators from exporting user Chat DMs
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in `can_export_entity?`. The method allowed moderators to export any entity not explicitly blocked instead of restricting to an explicit allowlist. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
References
- https://github.com/discourse/discourse/security/advisories/GHSA-5cp2-jq8m-33mf x_refsource_CONFIRM
Affected products
- ==< 2025.12.2
- ==>= 2026.1.0-latest, < 2026.1.1
- ==>= 2026.2.0-latest, < 2026.2.0
Matching in nixpkgs
pkgs.discourse
Discourse is an open source discussion platform
Ignored packages (5)
pkgs.discourse-mail-receiver
Helper program which receives incoming mail for Discourse
pkgs.python312Packages.pydiscourse
Python library for working with Discourse
pkgs.python313Packages.pydiscourse
Python library for working with Discourse
pkgs.python314Packages.pydiscourse
Python library for working with Discourse
pkgs.grafanaPlugins.grafana-discourse-datasource
Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana
Package maintainers
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>