Skip to content

DoS via admin theme import route

Low
nattsw published GHSA-vm65-pv5h-6g3w Apr 18, 2023

Package

Discourse (Discourse)

Affected versions

stable <= 3.0.2; beta <= 3.1.0.beta3; tests-passed <= 3.1.0.beta3

Patched versions

stable > 3.0.2; beta > 3.1.0.beta3; tests-passed > 3.1.0.beta3

Description

Impact

A maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where admins are untrusted.

Patches

This issue is patched in the latest stable and tests-passed versions of Discourse.

Severity

Low
2.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

CVE ID

CVE-2023-28440

Weaknesses

No CWEs

Credits