CVE-2024-27085
MEDIUMDiscourse < 3.2.0 and < 3.3.0 - Uncontrolled Resource Consumption via Invite Route Parameters
Title source: llmDescription
Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable invites or restrict access to them using the `invite allowed groups` site setting.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-cvp5-h7p8-mjj6
Scores
CVSS v3
6.5
EPSS
0.0009
EPSS Percentile
25.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (3)
discourse/discourse
3.3.0 beta1
discourse/discourse
< 3.2.0
discourse/discourse
< 3.3.0
Published
Mar 15, 2024
Tracked Since
Feb 18, 2026