CVE-2023-49099
Discourse secure uploads accessible to guests even when login is required
4.3
MEDIUM
CVSS 3.1
EPSS 0.29%
Description
Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4.
How to fix CVE-2023-49099
To remediate CVE-2023-49099, upgrade the affected package to a fixed version below.
- —upgrade to 3.1.4 or later
Is CVE-2023-49099 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |