CVE-2022-23549

CVSS v3.1

5.7

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2.8.14 on the stable branch and prior to 2.9.0.beta16 on the beta and tests-passed branches

Description The issue allows users to create posts with a raw body longer than the max length site setting by including HTML comments that are not counted toward the character limit. This is possible due to the way HTML comments are handled in posts. There are no known workarounds for this issue.

Recommendations For versions prior to 2.8.14 on the stable branch, update to version 2.8.14 or later. For versions prior to 2.9.0.beta16 on the beta and tests-passed branches, update to version 2.9.0.beta16 or later.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BIT-DISCOURSE-2022-23549

CVE-2022-23549

GHSA-P47G-V5WR-P4XP

Affected Products

Discourse

CVE-2022-23549

Weakness Enumeration

Related Identifiers

Affected Products

References · 9