CVE-2024-53851

Name of the Vulnerable Software and Affected Versions Discourse versions prior to the latest stable, beta and tests-passed versions

Description The issue is related to the endpoint for generating inline oneboxes for URLs, which did not enforce limits on the number of URLs accepted, allowing a malicious user to inflict a denial of service on some parts of the application. This can only be exploited by authenticated users.

Recommendations For versions prior to the latest stable, beta and tests-passed versions, update to the latest version to resolve the issue. For users unable to update, as a temporary workaround, turn off the enable inline onebox on all domains site setting and remove all entries from the allowed inline onebox domains site setting.