6.5

CVE-2022-23549

Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DiscourseDiscourse Version < 2.8.14
DiscourseDiscourse Version2.9.0 Updatebeta1
DiscourseDiscourse Version2.9.0 Updatebeta10
DiscourseDiscourse Version2.9.0 Updatebeta11
DiscourseDiscourse Version2.9.0 Updatebeta12
DiscourseDiscourse Version2.9.0 Updatebeta13
DiscourseDiscourse Version2.9.0 Updatebeta14
DiscourseDiscourse Version2.9.0 Updatebeta2
DiscourseDiscourse Version2.9.0 Updatebeta3
DiscourseDiscourse Version2.9.0 Updatebeta4
DiscourseDiscourse Version2.9.0 Updatebeta5
DiscourseDiscourse Version2.9.0 Updatebeta6
DiscourseDiscourse Version2.9.0 Updatebeta7
DiscourseDiscourse Version2.9.0 Updatebeta8
DiscourseDiscourse Version3.0.0 Updatebeta15
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.33% 0.551
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com 5.7 2.1 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.