CVE-2023-25169
- Source
- https://cve.org/CVERecord?id=CVE-2023-25169
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-25169.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-25169
- Aliases
-
- GHSA-x2r8-v85c-x3x7
- Published
- 2023-03-06T17:40:45.721Z
- Modified
- 2025-11-29T13:55:36.177214Z
- Severity
-
- 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Yearly Review Plugin leaking anonymised users data in discourse-yearly-review
- Details
-
discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit
b3ab33bbf7which is included in the latest version of the Discourse Yearly Review plugin. Users are advised to upgrade. Users unable to upgrade may disable theyearly_review_enabledsetting to fully mitigate the issue. Also, it's possible to edit the anonymised user's old data in the yearly review topics manually. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-200" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25169.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25169.json
- https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c
- https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7
- https://nvd.nist.gov/vuln/detail/CVE-2023-25169