It has come to light that Discourse, the popular open-source internet forum system, has been found to have a number of serious security vulnerabilities.
These flaws have caused significant concerns, particularly considering the platform's adoption by well-known organizations like Samsung, Zoom, OpenAI, MetaMask, and numerous others.
The vulnerabilities, which have been fixed, had the potential to be exploited by malicious individuals to disrupt services, gain access to sensitive information, and carry out unauthorized actions.
Found vulnerabilities within the Discourse CMS
The vulnerabilities have been found in earlier versions of Discourse on both the stable and tests-passed branches. Here's a breakdown of the discovered vulnerabilities
• CVE-2024-37157
This vulnerability enabled a malicious actor to manipulate the FastImage library, redirecting requests to an internal Discourse IP address.
This exploit has the potential to be used for performing actions that are not authorized or accessing data that is restricted within the Discourse network.
• CVE-2024-36113:
In this scenario, a staff member with malicious intent had the power to suspend other staff members, thereby blocking their access to the site.
This flaw has the potential to cause disruptions in site administration and user support functions, resulting in significant operational issues.
• CVE-2024-36122:
This flaw enables moderators, while using the review queue, could unintentionally view users' email addresses, even if the setting to disallow moderators from viewing email addresses was enabled.
This oversight has the potential to jeopardize user privacy and expose sensitive information to unauthorized individuals.
• CVE-2024-35234:
This vulnerability enabled attackers to execute arbitrary JavaScript on users' browsers by posting a URL with carefully crafted meta tags.
This problem posed a significant risk for websites that had disabled Content Security Policy (CSP), as it had the potential to be exploited on a large scale and result in data theft.
• CVE-2024-35227:
This flaw will give attackers the potential to disrupt the availability of a Discourse instance by exploiting a carefully crafted malicious URL through Oneboxing.
This vulnerability has the potential to result in denial-of-service attacks, which would make the forum inaccessible to legitimate users.
Update your Discourse instances
These vulnerabilities were discovered by security researchers and contributors on GitHub, and were quickly reported to the Discourse development team.
The Discourse development team has quickly responded to these findings by addressing the vulnerabilities.
All of the issues have been resolved in version 3.2.3 on the stable branch and version 3.3.0.beta3 on the tests-passed branch.
It is highly recommended that users and administrators update their Discourse instances to these versions as soon as possible to minimize any potential risks.