CVE-2024-36113

Published: Jul 3, 2024Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available.

Affected (4)

Products: Discourse: Discourse

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	Before 3.3.0
Discourse Discourse	Before 3.2.3
Discourse Discourse	Version 3.3.0 beta1
Discourse Discourse	Version 3.3.0 beta2

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (6)

https://github.com/discourse/discourse/commit/8470546f59b04bd82ce9b711406758fd5439936d

Source: security-advisories@github.com

Patch

https://github.com/discourse/discourse/commit/9c4a5f39d3ad351410a1453ff5e5f7ffce17cd7e

Source: security-advisories@github.com

Patch

https://github.com/discourse/discourse/security/advisories/GHSA-3w3f-76p7-3c4g

Source: security-advisories@github.com

Third Party Advisory

https://github.com/discourse/discourse/commit/8470546f59b04bd82ce9b711406758fd5439936d

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/discourse/discourse/commit/9c4a5f39d3ad351410a1453ff5e5f7ffce17cd7e

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/discourse/discourse/security/advisories/GHSA-3w3f-76p7-3c4g

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.