5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
38.6%
Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the stable
branch and 2.9.0beta5 on the beta
and tests-passed
branches, inviting users on sites that use single sign-on could bypass the must_approve_users
check and invites by staff are always approved automatically. The issue is patched in Discourse version 2.8.4 on the stable
branch and version 2.9.0.beta5
on the beta
and tests-passed
branches. As a workaround, disable invites or increase min_trust_level_to_allow_invite
to reduce the attack surface to more trusted users.
[
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "< 2.8.4"
},
{
"status": "affected",
"version": ">= 2.9.0.beta1, <= 2.9.0.beta4"
}
]
}
]
github.com/discourse/discourse/commit/0fa0094531efc82d9371f90a02aa804b176d59cf
github.com/discourse/discourse/commit/7c4e2d33fa4b922354c177ffc880a2f2701a91f9
github.com/discourse/discourse/pull/16974
github.com/discourse/discourse/pull/16984
github.com/discourse/discourse/security/advisories/GHSA-x7jh-mx5q-6f9q
More
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
38.6%