CVE-2023-37904

moderate-risk
Published 2023-07-28

Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, more users than permitted could be created from invite links. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. As a workaround, use restrict to email address invites.

Do I need to act?

-
0.17% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.6/10 Low
NETWORK / HIGH complexity

Affected Products (20)

Affected Vendors

Discourse

References (4)

Patch https://github.com/discourse/discourse/commit/62a609ea2d0645a27ee8adbb01ce10a5e0...
Vendor Advisory https://github.com/discourse/discourse/security/advisories/GHSA-6wj5-4ph2-c7qg
Patch https://github.com/discourse/discourse/commit/62a609ea2d0645a27ee8adbb01ce10a5e0...
Vendor Advisory https://github.com/discourse/discourse/security/advisories/GHSA-6wj5-4ph2-c7qg
44
/ 100
moderate-risk
Severity 10/34 · Low
Exploitability 1/34 · Minimal
Exposure 33/34 · Critical