PT-2023-19078 · Discourse · Discourse
Lownattsw
·
Publicado
2023-01-27
·
Atualizado
2024-03-06
·
CVE-2023-23616
CVSS v3.1
3.5
Baixa
| Vetor | AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 3.0.1 on the stable branch
Discourse versions prior to 3.1.0.beta2 on the beta and tests-passed branches
Description
The issue concerns the submission of membership requests, where there is no character limit for the reason provided. This could potentially allow a user to flood the database with a large amount of data. However, it is unlikely to be used as part of a Denial of Service (DoS) attack, as the paths reading back the reasons are only available to administrators. A character limit of 280 characters has been introduced for membership requests in later versions.
Recommendations
For Discourse versions prior to 3.0.1 on the stable branch, update to version 3.0.1 or later to introduce a character limit for membership requests.
For Discourse versions prior to 3.1.0.beta2 on the beta and tests-passed branches, update to version 3.1.0.beta2 or later to introduce a character limit for membership requests.
Exploit
Correção
DoS
Resource Exhaustion
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Discourse