VYPR
Unrated severityNVD Advisory· Published Nov 10, 2023· Updated Sep 3, 2024

Discourse DoS through Onebox favicon URL

CVE-2023-47120

Description

Discourse is an open source platform for community discussion. In versions 3.1.0 through 3.1.2 of the stable branch and versions 3.1.0,beta6 through 3.2.0.beta2 of the beta and tests-passed branches, Redis memory can be depleted by crafting a site with an abnormally long favicon URL and drafting multiple posts which Onebox it. The issue is patched in version 3.1.3 of the stable branch and version 3.2.0.beta3 of the beta and tests-passed branches. There are no known workarounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Discourse (software)/Discoursellm-fuzzy2 versions
    >=3.1.0, <=3.1.2 stable || >=3.1.0.beta6, <=3.2.0.beta2 beta/tests-passed+ 1 more
    • (no CPE)range: >=3.1.0, <=3.1.2 stable || >=3.1.0.beta6, <=3.2.0.beta2 beta/tests-passed
    • (no CPE)range: >= 3.1.0, < 3.1.3
  • osv-coords
    Range: >= 3.1.0, < 3.1.3

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.