CVE-2023-49099: 
NixOS vulnerability analysis and mitigation

Discourse, a platform for community discussion, was found to contain a security vulnerability (CVE-2023-49099) where secure upload URLs associated with posts could be accessed by guest users even when login was required. The vulnerability was discovered and disclosed in January 2024, affecting Discourse versions up to 3.1.3 (stable) and 3.2.0.beta3 (beta/tests-passed). This security issue has been patched in versions 3.2.0.beta4 and 3.1.4 (GitHub Advisory, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 4.3 (MEDIUM) according to NVD, while GitHub rates it as 3.1 (LOW). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating that it can be exploited over the network, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability is categorized under CWE-284 (Improper Access Control) (NVD).

The vulnerability allows unauthorized access to secure upload URLs associated with posts by guest users in instances where login is required, potentially exposing sensitive information that should be restricted to authenticated users (GitHub Advisory).

The vulnerability has been patched in Discourse versions 3.2.0.beta4 and 3.1.4. As a workaround, administrators can set the site setting 'prevent_anons_from_downloading_files' to true. Users are advised to upgrade to the patched versions (GitHub Advisory).