CVE-2023-23616

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.0.1 on the stable branch Discourse versions prior to 3.1.0.beta2 on the beta and tests-passed branches

Description The issue concerns the submission of membership requests, where there is no character limit for the reason provided. This could potentially allow a user to flood the database with a large amount of data. However, it is unlikely to be used as part of a Denial of Service (DoS) attack, as the paths reading back the reasons are only available to administrators. A character limit of 280 characters has been introduced for membership requests in later versions.

Recommendations For Discourse versions prior to 3.0.1 on the stable branch, update to version 3.0.1 or later to introduce a character limit for membership requests. For Discourse versions prior to 3.1.0.beta2 on the beta and tests-passed branches, update to version 3.1.0.beta2 or later to introduce a character limit for membership requests.