CVE-2023-45806

Discourse vulnerable to DoS via Regexp Injection in Full Name

Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, if a user has been quoted and uses a `|` in their full name, they might be able to trigger a bug that generates a lot of duplicate content in all the posts they've been quoted by updating their full name again. Version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches contain a patch for this issue. No known workaround exists, although one can stop the "bleeding" by ensuring users only use alphanumeric characters in their full name field.


We have discovered 1,435 live websites that are affected by CVE-2023-45806.

Contact us to get more info




Affected Software

Product  Discourse
Category Message Boards
Vulnerable Domains1,435 live websites (27.47% of Discourse install base)
Vulnerable Versions
  • from 0 before 3.1.3
  • from 3.2 before 3.2
Vulnerable Versions Count81 versions ( 85.26% of all versions)


Common Weakness Enumeration

CWE-1333 Inefficient Regular Expression Complexity



Details

  • Published - Nov 10, 2023
  • Updated - Sep 3, 2024

CVE-2023-45806 usage by Country

United States967 websites



Germany121 websites
France77 websites
Singapore41 websites
China33 websites
GB19 websites
Russia15 websites
Netherlands13 websites
Switzerland13 websites

CVE-2023-45806 usage by TLD

.com593 websites
.org227 websites
.net72 websites
.io70 websites
.de28 websites
.fr20 websites
.co17 websites
.ru16 websites
.eu14 websites
.com.br12 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2023-45806

Top websites that are affected by CVE-2023-45806. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
*********.***.com France*,***
*********.*******.org United States**,***
******.********.com United States**,***
*********.***************.com United States**,***
*****.******.com United States***,***
*********.**********.de Germany***,***
*****.******.cloud United States***,***
**********.com United States***,***
*********.*********.com ***,***
*********.**********.io United States***,***
See full domain list

FAQ

CVE-2023-45806 is Inefficient Regular Expression Complexity in Discourse
A total of 1,435 websites have been identified as vulnerable to CVE-2023-45806, discovered through global website indexing conducted by WebTechSurvey.
Discourse is susceptible to CVE-2023-45806 vulnerability.
Discourse versions before 3.2 are vulnerable to CVE-2023-45806.
Version 3.2 of Discourse addresses the CVE-2023-45806 security vulnerability.