Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-45806: DoS via Regexp Injection in Full Name

Discourse is an open source platform for community discussion. Prior to version 3.13 of the stable branch and version 3.2.0.beta3 of the beta and tests-passed branches, if a user has been quoted and uses a | in their full name, they might be able to trigger a bug that generates a lot of duplicate content in all the posts they’ve been quoted by updating their full name again. Version 3.13 of the stable branch and version 3.2.0.beta3 of the beta and tests-passed branches contain a patch for this issue. No known workaround exists, although one can stop the “bleeding” by ensuring users only use alphanumeric characters in their full name field.

CVE
Open in Source

Package

No package listed

Affected versions

stable < 3.1.3; beta/tests-passed < 3.2.0.beta3

Patched versions

stable >= 3.1.3; beta/tests-passed >= 3.2.0.beta3

Description

Impact

If a user has been quoted and uses a | in their full name, they might be able to trigger a bug that generates a lot of duplicate content in all the posts they’ve been quoted by updating their full name again.

Patches

The problem has been patched in the latest version of Discourse.

Workarounds

There are none, although one can stop the “bleeding” by ensuring users only use alphanumeric characters in their full name field.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE