We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route.
The problem has been patched in the latest version of Discourse.
Disable invites or restrict access to them using the invite allowed groups site setting.
invite allowed groups
Impact
Users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route.
Patches
The problem has been patched in the latest version of Discourse.
Workarounds
Disable invites or restrict access to them using the
invite allowed groups
site setting.