CVE-2023-49099

Discourse secure uploads accessible to guests even when login is required

Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4.


We have discovered 1,447 live websites that are affected by CVE-2023-49099.

Contact us to get more info




Affected Software

Product  Discourse
Category Message Boards
Vulnerable Domains1,447 live websites (27.70% of Discourse install base)
Vulnerable Versions
  • from 0 before 3.1.4
  • from 3.2 before 3.2
Vulnerable Versions Count82 versions ( 86.32% of all versions)


Common Weakness Enumeration

CWE-284 Improper Access Control



Details

  • Published - Jan 12, 2024
  • Updated - Aug 2, 2024

CVE-2023-49099 usage by Country

United States975 websites



Germany124 websites
France77 websites
Singapore41 websites
China33 websites
GB19 websites
Russia15 websites
Netherlands14 websites
Switzerland13 websites

CVE-2023-49099 usage by TLD

.com595 websites
.org230 websites
.net73 websites
.io71 websites
.de30 websites
.fr20 websites
.co17 websites
.ru16 websites
.eu14 websites
.com.br12 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2023-49099

Top websites that are affected by CVE-2023-49099. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
*********.***.com France*,***
*********.*******.org United States**,***
******.********.com United States**,***
*********.***************.com United States**,***
*****.******.com United States***,***
*********.**********.de Germany***,***
*****.******.cloud United States***,***
**********.com United States***,***
*********.*********.com ***,***
*********.**********.io United States***,***
See full domain list

FAQ

CVE-2023-49099 is Improper Access Control in Discourse
A total of 1,447 websites have been identified as vulnerable to CVE-2023-49099, discovered through global website indexing conducted by WebTechSurvey.
Discourse is susceptible to CVE-2023-49099 vulnerability.
Discourse versions before 3.2 are vulnerable to CVE-2023-49099.
Version 3.2 of Discourse addresses the CVE-2023-49099 security vulnerability.