SB2025020538 - Multiple vulnerabilities in Discourse



SB2025020538 - Multiple vulnerabilities in Discourse

Published: February 5, 2025 Updated: July 1, 2026

Security Bulletin ID SB2025020538
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Origin validation error (CVE-ID: CVE-2024-55948)

CWE-ID: CWE-346 - Origin Validation Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the cache poisoning issue within XHR requests. A remote attacker can use a specially crafted XHR request to poison the anonymous cache.


2) Origin validation error (CVE-ID: CVE-2025-23023)

CWE-ID: CWE-346 - Origin Validation Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the cache poisoning issue within request headers. A remote attacker can use a specially crafted request with the right request headers to poison the anonymous cache.


3) Acceptance of Extraneous Untrusted Data With Trusted Data (CVE-ID: CVE-2024-47773)

CWE-ID: CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to poison the anonymous cache and modify content served to anonymous visitors.

The vulnerability exists due to improper cache handling in the anonymous cache mechanism when processing XHR requests. A remote attacker can make several XHR requests to poison the anonymous cache and modify content served to anonymous visitors.

This issue only affects anonymous visitors of the site.


Remediation

Install update from vendor's website.