Disclosure of Group Custom Fields in discourse-group-membership-ip-block Plugin

Disclosure of Group Custom Fields in discourse-group-membership-ip-block Plugin

CVE-2024-24755 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom fields to remain secret.

Learn more about our User Device Pen Test.