Loïc Guitaut

4 exploits Active since Mar 2023
CVE-2023-28107 WRITEUP MEDIUM WRITEUP
Discourse < 3.0.2 and < 3.1.0.beta3 - Authenticated Denial of Service via Backup Request Flood
Discourse is an open-source discussion platform. Prior to version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches, a user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a site using multisite, then it can affect the whole cluster. The vulnerability is patched in version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.
CVSS 4.5
CVE-2023-25819 WRITEUP MEDIUM WRITEUP
Discourse tests-passed and beta branches >= 3.1.0.beta2 - Exposure of Private Personal Information via Metadata
Discourse is an open source platform for community discussion. Tags that are normally private are showing in metadata. This affects any site running the `tests-passed` or `beta` branches >= 3.1.0.beta2. The issue is patched in the latest `beta` and `tests-passed` version of Discourse.
CVSS 5.3
CVE-2023-28107 WRITEUP MEDIUM WRITEUP
Discourse < 3.0.2 and < 3.1.0.beta3 - Authenticated Denial of Service via Backup Request Flood
Discourse is an open-source discussion platform. Prior to version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches, a user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a site using multisite, then it can affect the whole cluster. The vulnerability is patched in version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.
CVSS 4.5
CVE-2025-32376 WRITEUP MEDIUM WRITEUP
Discourse < 3.4.3 - Improper Access Control via Direct Message User Limit Bypass
Discourse is an open-source discussion platform. Prior to versions 3.4.3 on the stable branch and 3.5.0.beta3 on the beta branch, the users limit for a DM can be bypassed, thus giving the ability to potentially create a DM with every user from a site in it. This issue has been patched in stable version 3.4.3 and beta version 3.5.0.beta3.
CVSS 4.3