CVE-2022-36068

Summary

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the stable branch and prior to 2.9.0.beta10 on the beta and tests-passed branches, a moderator can create new and edit existing themes by using the API when they should not be able to do so. The problem is patched in version 2.8.9 on the stable branch and version 2.9.0.beta10 on the beta and tests-passed branches. There are no known workarounds.

Affected Software

VendorProductVersion RangeStatus
discoursediscourse< 2.8.9affected
discoursediscourse>= 2.9.0.beta0, < 2.9.0.beta10affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References