Description
Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This issue has been resolved in commit `a414520742` and will be included in future releases. Users are advised to upgrade. Users are also advised to set `SiteSetting.max_invites_per_day` to 0 until the patch is installed.
References (2)
Core 2
Core References
Patch, Third Party Advisory
https://github.com/discourse/discourse/commit/a414520742da8dc9dc976d4fb7b72dbd445813bb
Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-gh5r-j595-qx48
Scores
CVSS v3
6.5
EPSS
0.0024
EPSS Percentile
47.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-863
Status
published
Products (2)
discourse/discourse
2.9.0 beta1 (9 CPE variants)
discourse/discourse
< 2.8.10
Published
Nov 14, 2022
Tracked Since
Feb 18, 2026