CVE-2022-46150: 
NixOS vulnerability analysis and mitigation

Discourse, an open-source discussion platform, was found to contain a vulnerability (CVE-2022-46150) that could expose hidden tags in notification emails. The vulnerability affects versions prior to 2.8.13 of the 'stable' branch and versions before 2.9.0.beta14 of the 'beta' and 'tests-passed' branches. The issue was discovered and disclosed on November 29, 2022 (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue stems from insufficient filtering of tags in user notifications, which could expose hidden tags in email subject lines. The vulnerability is categorized as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows unauthorized users to discover the existence of hidden tags and learn that these tags have been applied to topics they can access. This information disclosure could potentially reveal sensitive categorization or classification of content that was intended to be restricted (GitHub Advisory).

The issue has been patched in version 2.8.13 of the 'stable' branch and version 2.9.0.beta14 of the 'beta' and 'tests-passed' branches. As a temporary workaround, administrators can use the 'disable_email' site setting to disable all emails to non-staff users (GitHub Advisory).