Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, if a user has been quoted and uses a `|` in their full name, they might be able to trigger a bug that generates a lot of duplicate content in all the posts they've been quoted by updating their full name again. Version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches contain a patch for this issue. No known workaround exists, although one can stop the "bleeding" by ensuring users only use alphanumeric characters in their full name field.
We have discovered 1,435 live websites that are affected by CVE-2023-45806.
Product | Discourse |
Category | Message Boards |
Vulnerable Domains | 1,435 live websites (27.47% of Discourse install base) |
Vulnerable Versions |
|
Vulnerable Versions Count | 81 versions ( 85.26% of all versions) |
United States | 967 websites |
Germany | 121 websites |
France | 77 websites |
Singapore | 41 websites |
China | 33 websites |
GB | 19 websites |
Russia | 15 websites |
Netherlands | 13 websites |
Switzerland | 13 websites |
.com | 593 websites |
.org | 227 websites |
.net | 72 websites |
.io | 70 websites |
.de | 28 websites |
.fr | 20 websites |
.co | 17 websites |
.ru | 16 websites |
.eu | 14 websites |
.com.br | 12 websites |
Domain | Country | Rank | Contacts |
---|---|---|---|
*********.***.com | France | *,*** | |
*********.*******.org | United States | **,*** | |
******.********.com | United States | **,*** | |
*********.***************.com | United States | **,*** | |
*****.******.com | United States | ***,*** | |
*********.**********.de | Germany | ***,*** | |
*****.******.cloud | United States | ***,*** | |
**********.com | United States | ***,*** | |
*********.*********.com | ***,*** | ||
*********.**********.io | United States | ***,*** |
FAQ