CVE-2022-23549 MEDIUM

CVE-2022-23549: Discourse vulnerable to bypass of post max_length using HTML comments

Vendor Discourse
Product discourse
Weakness CWE-20 · Input validation
Published January 5, 2023
Last update March 10, 2025
View on NVD All CVEs

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.

Key dates

02Disclosure timeline

January 5, 2023 CVE published
March 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-23770 WISA Smart Wing CMS Remote Command Execution Vulnerability CVE-2026-22611 AWS SDK for .NET V4 adopted defense in depth enhancement for region parameter value CVE-2024-9507 Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder <= 2.15.2 - Authenticated (Administrator+) Improper Input Validation via iconUpload Function to Arbitrary File Read CVE-2023-5043 Ingress nginx annotation injection causes arbitrary command execution CVE-2019-12699 Cisco FXOS Software and Firepower Threat Defense Software Command Injection Vulnerabilities