CVE-2023-49099
3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| discourse | discourse | < 3.1.4 | affected |
| discourse | discourse | >= 3.2.0beta1, < 3.2.0.beta4 | affected |
Weaknesses
- CWE-284: CWE-284: Improper Access Control
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/discourse/discourse/security/advisories/GHSA-j67x-x6mq-pwv4
- https://github.com/discourse/discourse/commit/1b288236387fc0a823e4f15f1aea8dde81b49d53
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/discourse/discourse/security/advisories/GHSA-j67x-x6mq-pwv4
- https://github.com/discourse/discourse/commit/1b288236387fc0a823e4f15f1aea8dde81b49d53
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.