CVE-2023-31142

Published: Jun 13, 2023Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, if a site has modified their general category permissions, they could be set back to the default. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. A workaround, only if you are modifying the general category permissions, is to use a new category for the same purpose.

Affected (5)

Products: Discourse: Discourse

Discourse

1 product

Discourse

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	Before 3.0.4
Discourse Discourse	Version 3.1.0 beta1
Discourse Discourse	Version 3.1.0 beta2
Discourse Discourse	Version 3.1.0 beta3
Discourse Discourse	Version 3.1.0 beta4

Related CWEs

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (2)

https://github.com/discourse/discourse/security/advisories/GHSA-286w-97m2-78x2

Source: security-advisories@github.com

Vendor Advisory

https://github.com/discourse/discourse/security/advisories/GHSA-286w-97m2-78x2

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.