User profile location and website fields were not sufficiently length-limited
Package
Discourse
(Discourse)
Affected versions
stable <= 2.8.8; beta <= 2.9.0.beta9; tests-passed <= 2.9.0.beta9
Patched versions
stable >= 2.8.9; beta >= 2.9.0.beta10; tests-passed >= 2.9.0.beta10
Impact
A malicious actor can add large payloads of text into the Location and Website fields of a user profile, which causes issues for other users when loading that profile.
Patches
A fix to limit the length of user input for these fields is included in the latest stable, beta and tests-passed versions of Discourse.