CVE-2023-49099

Published Jan 12, 2024

Last updated 6 months ago

CVSS low 3.1

Overview

Description: Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4.
Source: security-advisories@github.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 4.3
Impact score: 1.4
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Severity: MEDIUM

Weaknesses

security-advisories@github.com: CWE-284

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A51406A4-A2FE-4BFE-8EA0-58359582D6A7",
            "versionEndExcluding": "3.1.4"
          },
          {
            "criteria": "cpe:2.3:a:discourse:discourse:3.2.0:beta1:*:*:beta:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1BFF647B-6CEF-43BF-BF5E-C82B557F78E2"
          },
          {
            "criteria": "cpe:2.3:a:discourse:discourse:3.2.0:beta2:*:*:beta:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "10D931DE-F8F5-4A34-A30A-FDD4420ABD1A"
          },
          {
            "criteria": "cpe:2.3:a:discourse:discourse:3.2.0:beta3:*:*:beta:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C62C36D4-6CE7-4A57-BBF7-8066CFAE342A"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References