CVE-2024-47773

Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-58vv-9j8h-hw2v	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*

History

26 Aug 2025, 16:58

Type	Values Removed	Values Added
CPE		cpe:2.3:a:discourse:discourse:::::stable:::*
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-58vv-9j8h-hw2v -~~	() https://github.com/discourse/discourse/security/advisories/GHSA-58vv-9j8h-hw2v - Third Party Advisory
First Time		Discourse Discourse discourse

Information

Published : 2024-10-08 18:15

Updated : 2025-08-26 16:58

NVD link : CVE-2024-47773

Mitre link : CVE-2024-47773

CVE.ORG link : CVE-2024-47773

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-610

Externally Controlled Reference to a Resource in Another Sphere

{"id": "CVE-2024-47773", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "published": "2024-10-08T18:15:30.720", "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-58vv-9j8h-hw2v", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-610"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value."}, {"lang": "es", "value": "Discourse es una plataforma de c\u00f3digo abierto para debates comunitarios. Un atacante puede realizar varias solicitudes XHR hasta que la cach\u00e9 se envenene con una respuesta sin ning\u00fan dato precargado. Este problema solo afecta a los visitantes an\u00f3nimos del sitio. Este problema se ha solucionado en la \u00faltima versi\u00f3n de Discourse. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar la versi\u00f3n deben desactivar la cach\u00e9 an\u00f3nima configurando la variable de entorno `DISCOURSE_DISABLE_ANON_CACHE` con un valor que no est\u00e9 vac\u00edo."}], "lastModified": "2025-08-26T16:58:28.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*", "vulnerable": true, "matchCriteriaId": "16A670AB-8B0F-4866-9592-0B463C93175C", "versionEndExcluding": "3.3.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}