What is the vulnerability ID of this vulnerability?

The vulnerability ID of this vulnerability is CVE-2023-46130.

What is the severity level of CVE-2023-46130?

The severity level of CVE-2023-46130 is medium with a CVSS score of 5.4.

What is the impact of the vulnerability CVE-2023-46130?

The vulnerability allows users to bypass the height value restriction in some theme components, which can affect the availability of certain resources.

How can I fix the vulnerability CVE-2023-46130?

To fix the vulnerability CVE-2023-46130, please update Discourse to version 3.1.3 for the `stable` branch and version 3.2.0.beta3 for the `beta` and `tests-passed` branches.

Vulnerability/
CVE-2023-46130

medium

5.4

CWE

770

10/11/2023

3/9/2024

CVE-2023-46130: Bypassing height value allowed in some theme components

Q: How does CVE-2023-46130 affect Discourse?

CVE-2023-46130 affects Discourse prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches.

First published: Fri Nov 10 2023(Updated: )

Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some theme components allow users to add svgs with unlimited `height` attributes, and this can affect the availability of subsequent replies in a topic. Most Discourse instances are unaffected, only instances with the svgbob or the mermaid theme component are within scope. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. As a workaround, disable or remove the relevant theme components.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Discourse Discourse	<3.1.3
Discourse Discourse	<3.2.0
Discourse Discourse	=3.2.0-beta1
Discourse Discourse	=3.2.0-beta2

Remedy

https://github.com/discourse/discourse/commit/6183d9633de873ac2b1e9cdb6ac1c94b4ffae9cb

Remedy

https://github.com/discourse/discourse/commit/89a2e60706ce22e4afc463d03af2f34c53291800

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID of this vulnerability?
The vulnerability ID of this vulnerability is CVE-2023-46130.
What is the severity level of CVE-2023-46130?
The severity level of CVE-2023-46130 is medium with a CVSS score of 5.4.
How does CVE-2023-46130 affect Discourse?
CVE-2023-46130 affects Discourse prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches.
What is the impact of the vulnerability CVE-2023-46130?
The vulnerability allows users to bypass the height value restriction in some theme components, which can affect the availability of certain resources.
How can I fix the vulnerability CVE-2023-46130?
To fix the vulnerability CVE-2023-46130, please update Discourse to version 3.1.3 for the `stable` branch and version 3.2.0.beta3 for the `beta` and `tests-passed` branches.

collector/nvd-api
agent/type
agent/event
collector/mitre-cve
source/MITRE
agent/weakness
agent/title
agent/remedy
agent/last-modified-date
agent/severity
agent/softwarecombine
agent/tags
agent/author
agent/references
agent/first-publish-date
agent/description
vendor/discourse
canonical/discourse discourse
version/discourse discourse/3.2.0-beta1
version/discourse discourse/3.2.0-beta2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.