Skip to content

DoS through invites

Moderate
nattsw published GHSA-cvp5-h7p8-mjj6 Mar 15, 2024

Package

No package listed

Affected versions

stable <= 3.2.0; beta <= 3.3.0.beta1; tests-passed <= 3.3.0.beta1

Patched versions

stable >= 3.2.1; beta >= 3.3.0.beta2; tests-passed >= 3.3.0.beta2

Description

Impact

Users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route.

Patches

The problem has been patched in the latest version of Discourse.

Workarounds

Disable invites or restrict access to them using the invite allowed groups site setting.

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2024-27085

Weaknesses

No CWEs