CVE-2021-43794

MEDIUM

Discourse - Info Disclosure

Title source: llm

Description

Discourse is an open source discussion platform. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown a JSON blob instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

References (2)

[Patch, Third Party Advisory] https://github.com/discourse/discourse/commit/2da0001965c6d8632d723c46ea5df9f22a1a23f1

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/discourse/discourse/security/advisories/GHSA-249g-pc77-65hp

Scores

CVSS v3 5.3

EPSS 0.0038

EPSS Percentile 59.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-610

Status published

Products (1)

discourse/discourse < 2.7.11

Published Dec 01, 2021

Tracked Since Feb 18, 2026