We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-53851

Partial denial of service via inline oneboxes in Discourse



Description

Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This vulnerability is only exploitable by authenticated users. This issue has been patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade should turn off the `enable inline onebox on all domains` site setting and remove all entries from the `allowed inline onebox domains` site setting.

Reserved 2024-11-22 | Published 2025-02-04 | Updated 2025-02-04 | Assigner GitHub_M


MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-400: Uncontrolled Resource Consumption

Product status

stable: <= 3.3.2
affected

beta: <= 3.4.0.beta3
affected

tests-passed: <= 3.4.0.beta3
affected

References

github.com/...course/security/advisories/GHSA-49rv-574x-wgpc

github.com/...ommit/416ec83ae57924d721e6e374f4cda78bd77a4599

cve.org (CVE-2024-53851)

nvd.nist.gov (CVE-2024-53851)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-53851

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.
MonTueWedThuFriSatSun
242526272812345678910111213141516171819202122232425262728293031123456
MonTueWedThuFriSatSun
242526272812345678910111213141516171819202122232425262728293031123456