Attackers Can Bypass Domain-Based Restrictions in Discourse Due to Recent Vulnerability
CVE-2024-45051

8.2HIGH

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 7 October 2024

Summary

A critical vulnerability exists in Discourse, an open-source platform for community discussion, which allows an attacker to utilize a crafted email address to circumvent domain-based restrictions. This exploitation enables unauthorized access to private sites, categories, and groups within the platform. The issue has been addressed in the latest versions of Discourse, and all users are strongly urged to upgrade as there are no existing workarounds. Ensuring that your Discourse installation is up-to-date is essential for maintaining security.

Affected Version(s)

discourse stable: < 3.3.2 < stable: 3.3.2

discourse beta: < 3.4.0.beta2 < beta: 3.4.0.beta2

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 7, 2024