SB2023061911 - Multiple vulnerabilities in Discourse

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Incorrect permission assignment for critical resource (CVE-ID: CVE-2023-31142)

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to incorrect permission assignment for critical resource. A remote administrator can set back to default general category permissions.

2) Input validation error (CVE-ID: CVE-2023-32301)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to canonical url is not used for topic embeddings. A remote attacker can create multiple duplicate topics if topic embedding is enabled.

3) Incorrect authorization (CVE-ID: CVE-2023-32061)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to lack of restrictions on the iFrame tag. A remote attacker can hide subsequent comments from other users.

4) Information disclosure (CVE-ID: CVE-2023-34250)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can use the new topics dismissal endpoint to reveal the number of topics recently created.

Remediation

Install update from vendor's website.

References

• https://github.com/discourse/discourse/security/advisories/GHSA-286w-97m2-78x2
• https://github.com/discourse/discourse/security/advisories/GHSA-p2jx-m2j5-hqh4
• https://github.com/discourse/discourse/security/advisories/GHSA-prx4-49m8-874g
• https://github.com/discourse/discourse/security/advisories/GHSA-q8m5-wmjr-3ppg