CVE-2023-44391: 
NixOS vulnerability analysis and mitigation

Discourse, an open source platform for community discussion, was found to have a vulnerability where user summaries were accessible to anonymous users even when the hide_user_profiles_from_public setting was enabled. The vulnerability (CVE-2023-44391) was disclosed on October 16, 2023, affecting versions prior to 3.1.1 stable and 3.2.0.beta2 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, has unchanged scope, and only impacts confidentiality at a low level, with no impact on integrity or availability (NVD).

The vulnerability allows unauthorized access to user summary information even when the platform is configured to hide user profiles from public view. This represents a privacy concern as sensitive user information could be exposed to unauthenticated users (GitHub Advisory).

The vulnerability has been patched in Discourse version 3.1.1 stable and 3.2.0.beta2. Users are advised to upgrade to these or later versions. There are no known workarounds for this vulnerability (GitHub Advisory).