PT-2024-32810 · Discourse · Discourse

Zere0

Published

2024-10-08

Updated

2024-10-14

CVE-2024-47773

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.3.2 Discourse versions tests-passed prior to 3.4.0.beta2

Description The issue affects Discourse, an open source platform for community discussion, and allows an attacker to poison the cache with repeated XHR requests, affecting anonymous visitors of the site.

Recommendations For Discourse versions prior to 3.3.2, upgrade to the latest version to resolve the issue. For Discourse versions tests-passed prior to 3.4.0.beta2, upgrade to a version at or after 3.4.0.beta2 to resolve the issue. As a temporary workaround for users unable to upgrade, consider disabling anonymous cache by setting the DISCOURSE DISABLE ANON CACHE environment variable to a non-empty value.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-610

Related Identifiers

BIT-DISCOURSE-2024-47773

CVE-2024-47773

GHSA-58VV-9J8H-HW2V

Affected Products

Discourse

PT-2024-32810 · Discourse · Discourse

CVE-2024-47773

Weakness Enumeration

Related Identifiers

Affected Products

References · 9