CVE-2022-23549
Discourse vulnerable to bypass of post max_length using HTML comments
6.5
MEDIUM
CVSS 3.1
EPSS 0.33%
Description
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.
How to fix CVE-2022-23549
To remediate CVE-2022-23549, upgrade the affected package to a fixed version below.
- —upgrade to 2.8.14 or later
Is CVE-2022-23549 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.8.14
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |