CVE-2022-36068
7.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the stable branch and prior to 2.9.0.beta10 on the beta and tests-passed branches, a moderator can create new and edit existing themes by using the API when they should not be able to do so. The problem is patched in version 2.8.9 on the stable branch and version 2.9.0.beta10 on the beta and tests-passed branches. There are no known workarounds.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| discourse | discourse | < 2.8.9 | affected |
| discourse | discourse | >= 2.9.0.beta0, < 2.9.0.beta10 | affected |
Weaknesses
- CWE-862: CWE-862: Missing Authorization
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/discourse/discourse/security/advisories/GHSA-6crr-3662-263q
- https://github.com/discourse/discourse/pull/18418
- https://github.com/discourse/discourse/commit/ae1e536e83940d58f1c79b835c75c249121c46b6
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/discourse/discourse/security/advisories/GHSA-6crr-3662-263q
- https://github.com/discourse/discourse/pull/18418
- https://github.com/discourse/discourse/commit/ae1e536e83940d58f1c79b835c75c249121c46b6
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.