Malicious users can create spam topics as any user
Package
No package listed
Affected versions
stable <= 3.0; beta <= 3.1.0.beta1; tests-passed <= 3.1.0.beta1
Patched versions
stable >= 3.0.1; beta >= 3.1.0.beta2; tests-passed >= 3.1.0.beta2
Impact
The embeddable comments can be exploited to create new topics as any user but without any clear title or content.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Workarounds
Disable embeddable comments by deleting all embeddable hosts.