CVE-2024-47773
moderate-risk
Published 2024-10-08
Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.
Do I need to act?
~
7.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.2/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (1)
Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-58vv-9j8h-hw2v
43
/ 100
moderate-risk
Severity
28/34 · Critical
Exploitability
10/34 · Low
Exposure
5/34 · Minimal