CVE-2023-28440 LOW

CVE-2023-28440: Denial of service via admin theme import route in Discourse

Vendor Discourse

Product discourse

Weakness CWE-400

Published April 18, 2023

Last update February 6, 2025

View on NVD All CVEs

CVSS base score

2.7/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Discourse is an open source platform for community discussion. In affected versions a maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where admins are untrusted. This issue has been addressed in versions 3.0.3 and 3.1.0.beta4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

April 18, 2023 CVE published

February 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-28440 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/400.html

Related vulnerabilities

Identifiers

CVE CVE-2023-28440

CWE CWE-400

CVSS 2.7 / LOW

Affected versions

Vendor Discourse

Product discourse

Affected stable: <= 3.0.2

Vendor Discourse

Product discourse

Affected beta: <= 3.1.0.beta3

CVE-2023-28440: Denial of service via admin theme import route in Discourse

01Description

02Disclosure timeline

03References

04Related CVE