Discourse moderators can edit themes via the API
CVE-2022-36068
7.2HIGH
Summary
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the stable
branch and prior to 2.9.0.beta10 on the beta
and tests-passed
branches, a moderator can create new and edit existing themes by using the API when they should not be able to do so. The problem is patched in version 2.8.9 on the stable
branch and version 2.9.0.beta10 on the beta
and tests-passed
branches. There are no known workarounds.
Affected Version(s)
discourse < 2.8.9 < 2.8.9
discourse >= 2.9.0.beta0, < 2.9.0.beta10 < 2.9.0.beta0, 2.9.0.beta10
References
CVSS V3.1
Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved