Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This vulnerability is only exploitable by authenticated users. This issue has been patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade should turn off the `enable inline onebox on all domains` site setting and remove all entries from the `allowed inline onebox domains` site setting.
Metrics
Affected Vendors & Products
References
History
Tue, 04 Feb 2025 22:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 04 Feb 2025 21:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This vulnerability is only exploitable by authenticated users. This issue has been patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade should turn off the `enable inline onebox on all domains` site setting and remove all entries from the `allowed inline onebox domains` site setting. | |
Title | Partial denial of service via inline oneboxes in Discourse | |
Weaknesses | CWE-400 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: GitHub_M
Published: 2025-02-04T21:16:42.089Z
Updated: 2025-02-04T21:40:59.102Z
Reserved: 2024-11-22T17:30:02.140Z
Link: CVE-2024-53851

Updated: 2025-02-04T21:40:54.504Z

Status : Received
Published: 2025-02-04T22:15:40.490
Modified: 2025-02-04T22:15:40.490
Link: CVE-2024-53851

No data.