Description
Discourse is an open source platform for community discussion. In affected versions by creating replacement words with an almost unlimited number of characters, a moderator can reduce the availability of a Discourse instance. This issue has been addressed in stable version 3.2.3 and in current betas. Users are advised to upgrade. Users unable to upgrade may manually remove the long watched words either via SQL or Rails console.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-68pm-hm8x-pq2p
Scores
CVSS v3
4.9
EPSS
0.0035
EPSS Percentile
57.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (3)
discourse/discourse
3.3.0 beta1 (2 CPE variants)
discourse/discourse
< 3.3.0
discourse/discourse
< 3.3.2
Published
Jul 15, 2024
Tracked Since
Feb 18, 2026