Vulnerability Description
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 2.8.14 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse/commit/bf6b08670a927cc80bb090b7a2e710b4b5PatchThird Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-p47g-v5wr-p4xpThird Party Advisory
- https://github.com/discourse/discourse/commit/bf6b08670a927cc80bb090b7a2e710b4b5PatchThird Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-p47g-v5wr-p4xpThird Party Advisory
FAQ
What is CVE-2022-23549?
CVE-2022-23549 is a vulnerability with a CVSS score of 5.7 (MEDIUM). Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw bo...
How severe is CVE-2022-23549?
CVE-2022-23549 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23549?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.