CVE-2024-49765

Published: Dec 19, 2024Modified: Sep 26, 2025

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

Discourse is an open source platform for community discussion. Sites that are using discourse connect but still have local logins enabled could allow attackers to bypass discourse connect to create accounts and login. This problem is patched in the latest version of Discourse. Users unable to upgrade who are using discourse connect may disable all other login methods as a workaround.

Affected (5)

Products: Discourse: Discourse

Discourse

1 product

Discourse

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	Before 3.4.0
Discourse Discourse	Before 3.3.3
Discourse Discourse	Version 3.4.0 beta1
Discourse Discourse	Version 3.4.0 beta2
Discourse Discourse	Version 3.4.0 beta3

Related CWEs

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

References (1)

https://github.com/discourse/discourse/security/advisories/GHSA-v8rf-pvgm-xxf2

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.