CVE-2023-38685: 
NixOS vulnerability analysis and mitigation

Discourse, an open source discussion platform, was found to have a vulnerability (CVE-2023-38685) where unauthorized users could obtain information about restricted-visibility topic tags. This vulnerability affected versions prior to 3.0.6 of the 'stable' branch and version 3.1.0.beta7 of the 'beta' and 'tests-passed' branches (GitHub Advisory).

The vulnerability stems from an implementation flaw where restricted tag information was visible in the noscript view. The hidden tags were usually filtered out by the serializer, but the noscript view used the topic objects instead of the serialized objects, bypassing the intended access controls. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity (NVD).

The vulnerability allowed unauthorized users to access information about restricted-visibility topic tags that should have been hidden from them, potentially exposing sensitive categorization or organizational information (GitHub Advisory).

The issue has been patched in version 3.0.6 of the 'stable' branch and version 3.1.0.beta7 of the 'beta' and 'tests-passed' branches. Users are advised to upgrade to these or later versions to mitigate the vulnerability (GitHub Advisory).