CVE-2023-45147 MEDIUM

CVE-2023-45147: Arbitrary keys can be added to a topic's custom fields by any user in Discourse

Vendor Discourse

Product discourse

Weakness CWE-200 · Info exposure

Published October 16, 2023

Last update September 13, 2024

View on NVD All CVEs

CVSS base score

4.9/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Discourse is an open source community platform. In affected versions any user can create a topic and add arbitrary custom fields to a topic. The severity of this vulnerability depends on what plugins are installed and how the plugins uses topic custom fields. For a default Discourse installation with the default plugins, this vulnerability has no impact. The problem has been patched in the latest version of Discourse. Users are advised to update to version 3.1.1 if they are on the stable branch or 3.2.0.beta2 if they are on the beta branch. Users unable to upgrade should disable any plugins that access topic custom fields.

Key dates

02Disclosure timeline

October 16, 2023 CVE published

September 13, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-45147

Related vulnerabilities

Identifiers

CVE CVE-2023-45147

CWE CWE-200

CVSS 4.9 / MEDIUM

Affected versions

Vendor Discourse

Product discourse

Affected <= 3.1.1

Vendor Discourse

Product discourse

Affected beta: <= 3.2.0.beta2

CVE-2023-45147: Arbitrary keys can be added to a topic's custom fields by any user in Discourse

01Description

02Disclosure timeline

03References

04Related CVE