Описание
Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the stable branch and 2.9.0beta5 on the beta and tests-passed branches, inviting users on sites that use single sign-on could bypass the must_approve_users check and invites by staff are always approved automatically. The issue is patched in Discourse version 2.8.4 on the stable branch and version 2.9.0.beta5 on the beta and tests-passed branches. As a workaround, disable invites or increase min_trust_level_to_allow_invite to reduce the attack surface to more trusted users.
Ссылки
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.8.4 (исключая)
Одно из
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta1:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta2:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta3:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta4:*:*:*:*:*:*
EPSS
Процентиль: 49%
0.00261
Низкий
2.6 Low
CVSS3
5.3 Medium
CVSS3
5 Medium
CVSS2
Дефекты
CWE-285
NVD-CWE-Other
EPSS
Процентиль: 49%
0.00261
Низкий
2.6 Low
CVSS3
5.3 Medium
CVSS3
5 Medium
CVSS2
Дефекты
CWE-285
NVD-CWE-Other