CVE-2024-47773: Anonymous cache poisoning via XHR requests in Discourse
First published: Tue Oct 08 2024(Updated: )
Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Discourse | <latest |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability severity of CVE-2024-47773?
CVE-2024-47773 is considered a medium severity vulnerability that affects Discourse.
How do I fix CVE-2024-47773?
To fix CVE-2024-47773, update Discourse to the latest patched version.
Who is affected by CVE-2024-47773?
CVE-2024-47773 primarily affects anonymous visitors to Discourse sites.
What type of vulnerability is CVE-2024-47773?
CVE-2024-47773 is an issue related to cache poisoning through multiple XHR requests.
Is there a patch available for CVE-2024-47773?
Yes, a patch for CVE-2024-47773 is included in the latest release of Discourse.
- agent/title
- agent/references
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- agent/severity
- agent/author
- agent/event
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/discourse
- canonical/discourse