Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This vulnerability is only exploitable by authenticated users. This issue has been patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade should turn off the `enable inline onebox on all domains` site setting and remove all entries from the `allowed inline onebox domains` site setting.
History

Tue, 04 Feb 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 04 Feb 2025 21:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This vulnerability is only exploitable by authenticated users. This issue has been patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade should turn off the `enable inline onebox on all domains` site setting and remove all entries from the `allowed inline onebox domains` site setting.
Title Partial denial of service via inline oneboxes in Discourse
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-02-04T21:16:42.089Z

Updated: 2025-02-04T21:40:59.102Z

Reserved: 2024-11-22T17:30:02.140Z

Link: CVE-2024-53851

cve-icon Vulnrichment

Updated: 2025-02-04T21:40:54.504Z

cve-icon NVD

Status : Received

Published: 2025-02-04T22:15:40.490

Modified: 2025-02-04T22:15:40.490

Link: CVE-2024-53851

cve-icon Redhat

No data.