CVE-2023-32061

Published: Jun 13, 2023Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, the lack of restrictions on the iFrame tag makes it easy for an attacker to exploit the vulnerability and hide subsequent comments from other users. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. There are no known workarounds.

Affected (5)

Products: Discourse: Discourse

Discourse

1 product

Discourse

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	Before 3.0.4
Discourse Discourse	Version 3.1.0 beta1
Discourse Discourse	Version 3.1.0 beta2
Discourse Discourse	Version 3.1.0 beta3
Discourse Discourse	Version 3.1.0 beta4

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://github.com/discourse/discourse/security/advisories/GHSA-prx4-49m8-874g

Source: security-advisories@github.com

Vendor Advisory

https://github.com/discourse/discourse/security/advisories/GHSA-prx4-49m8-874g

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.