CVE-2022-39385: 
NixOS vulnerability analysis and mitigation

A vulnerability in Discourse (CVE-2022-39385) was discovered that could allow users redeeming an invitation to be erroneously and transparently added as participants to private message topics without proper authorization. The vulnerability affects Discourse versions stable <= 2.8.10, beta <= 2.9.0.beta11, and tests-passed <= 2.9.0.beta11 (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 8.1 (High severity), with attack vector being Network, attack complexity Low, privileges required Low, and no user interaction needed. The vulnerability is categorized as CWE-200, relating to exposure of sensitive information. The scope is unchanged, with high impact on confidentiality and availability, but no impact on integrity (GitHub Advisory).

When exploited, this vulnerability allows users who redeem an invitation to be automatically added as participants to several private message topics that they should not have access to. This happens transparently in the background without any notification to the user or the system administrators (GitHub Advisory).

As a temporary workaround, administrators can set SiteSetting.maxinvitesper_day to 0 until the patch is installed. The vulnerability has been patched in versions stable > 2.8.10, beta > 2.9.0.beta11, and tests-passed > 2.9.0.beta11 (GitHub Advisory).