Skip to content

Bypass of post max_length using HTML comments

Moderate
jomaxro published GHSA-p47g-v5wr-p4xp Jan 5, 2023

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.13; beta <= 3.0.0.beta15; tests-passed <= 3.0.0.beta15

Patched versions

stable >= 2.8.14; beta >= 3.0.0.beta16; tests-passed >= 3.0.0.beta16

Description

Impact

Users can create posts with raw body longer than the max_length site setting by including html comments that are not counted toward the character limit.

Patches

Patch has been applied.

Workarounds

Upgrading is necessary.

Severity

Moderate
5.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CVE ID

CVE-2022-23549

Weaknesses