Unrated severityNVD Advisory· Published Oct 8, 2024· Updated Oct 8, 2024

Anonymous cache poisoning via XHR requests in Discourse

CVE-2024-47773

Description

Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the DISCOURSE_DISABLE_ANON_CACHE environment variable to a non-empty value.

Affected products

Discourse (software)/Discoursev5
Range: stable: < 3.3.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/security/advisories/GHSA-58vv-9j8h-hw2vmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.006
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000