7.2

CVE-2022-36068

Discourse moderators can edit themes via the API

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a moderator can create new and edit existing themes by using the API when they should not be able to do so. The problem is patched in version 2.8.9 on the `stable` branch and version 2.9.0.beta10 on the `beta` and `tests-passed` branches. There are no known workarounds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DiscourseDiscourse Version < 2.8.9
DiscourseDiscourse Version2.9.0 Updatebeta1
DiscourseDiscourse Version2.9.0 Updatebeta2
DiscourseDiscourse Version2.9.0 Updatebeta3
DiscourseDiscourse Version2.9.0 Updatebeta4
DiscourseDiscourse Version2.9.0 Updatebeta5
DiscourseDiscourse Version2.9.0 Updatebeta6
DiscourseDiscourse Version2.9.0 Updatebeta7
DiscourseDiscourse Version2.9.0 Updatebeta8
DiscourseDiscourse Version2.9.0 Updatebeta9
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.72% 0.488
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/discourse/discourse/commit/ae1e536e83940d58f1c79b835c75c249121c46b6
Patch
Third Party Advisory
https://github.com/discourse/discourse/pull/18418
Patch
Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-6crr-3662-263q
Third Party Advisory