CVE-2022-23546

2023-01-0519:15:09

CWE-200

[email protected]

web.nvd.nist.gov

cve-2022-23546

discourse

version 2.9.0.beta14

version 2.9.0.beta15

security patch

admin leak

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

26.4%

JSON

In version 2.9.0.beta14 of Discourse, an open-source discussion platform, maliciously embedded urls can leak an admin’s digest of recent topics, possibly exposing private information. A patch is available for version 2.9.0.beta15. There are no known workarounds for this issue.

Affected configurations

Vulners

NVD

Node

discoursediscourseMatch2.9.0.beta14

VendorProductVersionCPE
discoursediscourse2.9.0.beta14cpe:2.3:a:discourse:discourse:2.9.0.beta14:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
discourse	discourse	2.9.0.beta14	cpe:2.3:a:discourse:discourse:2.9.0.beta14:::::::*

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse",
    "versions": [
      {
        "version": "= 2.9.0.beta14",
        "status": "affected"
      }
    ]
  }
]