CVE-2023-49099

Published: Jan 12, 2024Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4.

Affected (4)

Products: Discourse: Discourse

Discourse

1 product

Discourse

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	Before 3.1.4
Discourse Discourse	Version 3.2.0 beta1
Discourse Discourse	Version 3.2.0 beta2
Discourse Discourse	Version 3.2.0 beta3

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://github.com/discourse/discourse/commit/1b288236387fc0a823e4f15f1aea8dde81b49d53

Source: security-advisories@github.com

Patch

https://github.com/discourse/discourse/security/advisories/GHSA-j67x-x6mq-pwv4

Source: security-advisories@github.com

Vendor Advisory

https://github.com/discourse/discourse/commit/1b288236387fc0a823e4f15f1aea8dde81b49d53

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/discourse/discourse/security/advisories/GHSA-j67x-x6mq-pwv4

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.