CVE-2023-28440
Denial of service via admin theme import route in Discourse
2.7
LOW
CVSS 3.1
EPSS 0.49%
Description
Discourse is an open source platform for community discussion. In affected versions a maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where admins are untrusted. This issue has been addressed in versions 3.0.3 and 3.1.0.beta4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
How to fix CVE-2023-28440
To remediate CVE-2023-28440, upgrade the affected package to a fixed version below.
- —upgrade to 3.0.3 or later
Is CVE-2023-28440 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.0.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L |