DoS via admin theme import route
Package
Discourse
(Discourse)
Affected versions
stable <= 3.0.2; beta <= 3.1.0.beta3; tests-passed <= 3.1.0.beta3
Patched versions
stable > 3.0.2; beta > 3.1.0.beta3; tests-passed > 3.1.0.beta3
Impact
A maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where admins are untrusted.
Patches
This issue is patched in the latest stable and tests-passed versions of Discourse.