Skip to content

User profile location and website fields were not sufficiently length-limited

Low
jomaxro published GHSA-jw3q-xg5g-qjrw Sep 29, 2022

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.8; beta <= 2.9.0.beta9; tests-passed <= 2.9.0.beta9

Patched versions

stable >= 2.8.9; beta >= 2.9.0.beta10; tests-passed >= 2.9.0.beta10

Description

Impact

A malicious actor can add large payloads of text into the Location and Website fields of a user profile, which causes issues for other users when loading that profile.

Patches

A fix to limit the length of user input for these fields is included in the latest stable, beta and tests-passed versions of Discourse.

Severity

Low

CVE ID

CVE-2022-39226

Weaknesses