CVE-2024-36122: 
NixOS vulnerability analysis and mitigation

Discourse, an open-source discussion platform, disclosed a vulnerability (CVE-2024-36122) affecting versions prior to 3.2.3 on the stable branch and version 3.3.0.beta4 on the beta and tests-passed branches. The vulnerability was discovered and reported on July 3, 2024, allowing moderators using the review queue to view users' email addresses even when the 'Allow moderators to view email addresses' setting is disabled (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, while GitHub assigned it a lower score of 2.4 (LOW) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows moderators to access users' email addresses through the review queue, bypassing the intended privacy controls when the 'Allow moderators to view email addresses' setting is disabled (GitHub Advisory).

The issue has been patched in version 3.2.3 on the stable branch and version 3.3.0.beta4 on the beta and tests-passed branches. For those unable to update immediately, two workarounds are available: either prevent moderators from accessing the review queue, or disable both the 'approve suspect users' and 'must approve users' site settings to prevent users from being added to the review queue (GitHub Advisory).