CVE-2022-24824

MEDIUM

Discourse - Info Disclosure

Title source: llm

Description

Discourse is an open source platform for community discussion. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown the crawler view of the site instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no known workarounds for this issue.

References (2)

[Third Party Advisory] https://github.com/discourse/discourse/security/advisories/GHSA-46v9-3jc4-f53w

[Patch, Third Party Advisory] https://github.com/discourse/discourse/commit/b72b0dac10493d09f4f9eb8f3c3ce7817295e34e

View Patch ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0038

EPSS Percentile 59.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-829

Status published

Products (2)

discourse/discourse 2.9.0 beta1 (3 CPE variants)

discourse/discourse < 2.8.3

Published Apr 14, 2022

Tracked Since Feb 18, 2026