CVE-2022-23549

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-23549
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.

5.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/discourse/discourse/commit/bf6b08670a927cc80bb090b7a2e710b4b554e6a8 Patch Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-p47g-v5wr-p4xp Third Party Advisory
https://github.com/discourse/discourse/commit/bf6b08670a927cc80bb090b7a2e710b4b554e6a8 Patch Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-p47g-v5wr-p4xp Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta1:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta10:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta11:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta12:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta13:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta14:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta2:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta3:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta4:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta5:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta6:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta7:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.9.0:beta8:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:3.0.0:beta15:*:*:*:*:*:*
History

21 Nov 2024, 06:48

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.5 		v2 : unknown
v3 : 5.7
Summary
  • (es) Discourse es una plataforma de discusión de fuentes de opciones. Antes de la versión 2.8.14 en la rama `stable` y la versión 2.9.0.beta16 en las ramas `beta` y `tests-passed`, los usuarios podían crear publicaciones con un cuerpo sin formato más largo que la configuración del sitio `max_length` al incluir html comentarios que no cuentan para el límite de caracteres. Este problema se solucionó en las versiones 2.8.14 y 2.9.0.beta16. No se conocen workarounds.
References () https://github.com/discourse/discourse/commit/bf6b08670a927cc80bb090b7a2e710b4b554e6a8 - Patch, Third Party Advisory () https://github.com/discourse/discourse/commit/bf6b08670a927cc80bb090b7a2e710b4b554e6a8 - Patch, Third Party Advisory
References () https://github.com/discourse/discourse/security/advisories/GHSA-p47g-v5wr-p4xp - Third Party Advisory () https://github.com/discourse/discourse/security/advisories/GHSA-p47g-v5wr-p4xp - Third Party Advisory
Information

Published : 2023-01-05 19:15

Updated : 2024-11-21 06:48

NVD link : CVE-2022-23549

Mitre link : CVE-2022-23549

CVE.ORG link : CVE-2022-23549

JSON object : View

Products Affected

discourse

  • discourse
CWE
CWE-20

Improper Input Validation

NVD-CWE-Other

NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024