Skip to content

Malicious users can create spam topics as any user

Moderate
pmusaraj published GHSA-7mf3-5v84-wxq8 Jan 30, 2023

Package

No package listed

Affected versions

stable <= 3.0; beta <= 3.1.0.beta1; tests-passed <= 3.1.0.beta1

Patched versions

stable >= 3.0.1; beta >= 3.1.0.beta2; tests-passed >= 3.1.0.beta2

Description

Impact

The embeddable comments can be exploited to create new topics as any user but without any clear title or content.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Workarounds

Disable embeddable comments by deleting all embeddable hosts.

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE ID

CVE-2023-23615

Weaknesses

No CWEs