Rogue Staff User Could Suspend Other Staff Users, Patched in Latest Versions
CVE-2024-36113

6.5MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 3 July 2024

Summary

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the stable branch, version 3.3.0.beta3 on the beta branch, and version 3.3.0.beta4-dev on the tests-passed branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the stable branch, version 3.3.0.beta3 on the beta branch, and version 3.3.0.beta4-dev on the tests-passed branch. No known workarounds are available.

References

https://github.com/discourse/discourse/security/advisorie...

https://github.com/discourse/discourse/commit/8470546f59b...

https://github.com/discourse/discourse/commit/9c4a5f39d3a...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 3, 2024