CVE-2024-55948: Anonymous cache poisoning via XHR requests in Discourse
First published: Tue Feb 04 2025(Updated: )
Discourse is an open source platform for community discussion. In affected versions an attacker can make craft an XHR request to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Discourse Discourse |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-55948?
CVE-2024-55948 has been classified as a moderate severity vulnerability.
How do I fix CVE-2024-55948?
To fix CVE-2024-55948, update Discourse to the latest version that addresses this vulnerability.
Who is affected by CVE-2024-55948?
CVE-2024-55948 affects anonymous visitors of the Discourse platform.
What type of attack does CVE-2024-55948 involve?
CVE-2024-55948 involves an attacker crafting an XHR request to poison the anonymous cache.
Can CVE-2024-55948 lead to data being exposed?
Yes, CVE-2024-55948 can potentially lead to the exposure of preloaded data for anonymous visitors.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/type
- agent/description
- agent/title
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/severity
- agent/last-modified-date
- agent/author
- agent/source
- agent/tags
- agent/event
- vendor/discourse
- canonical/discourse discourse