BIT-discourse-2023-46130
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2023-46130.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-discourse-2023-46130
- Aliases
- Published
- 2024-03-06T10:52:27.869Z
- Modified
- 2025-05-20T10:02:07.006Z
- Summary
- Bypassing height value allowed in some theme components
- Details
-
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the
stablebranch and version 3.2.0.beta3 of thebetaandtests-passedbranches, some theme components allow users to add svgs with unlimitedheightattributes, and this can affect the availability of subsequent replies in a topic. Most Discourse instances are unaffected, only instances with the svgbob or the mermaid theme component are within scope. The issue is patched in version 3.1.3 of thestablebranch and version 3.2.0.beta3 of thebetaandtests-passedbranches. As a workaround, disable or remove the relevant theme components. - Database specific
{ "severity": "Medium", "cpes": [ "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*", "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*", "cpe:2.3:a:discourse:discourse:3.2.0:beta1:*:*:beta:*:*:*", "cpe:2.3:a:discourse:discourse:3.2.0:beta2:*:*:beta:*:*:*" ] }- References
-
- https://github.com/discourse/discourse/commit/6183d9633de873ac2b1e9cdb6ac1c94b4ffae9cb
- https://github.com/discourse/discourse/commit/89a2e60706ce22e4afc463d03af2f34c53291800
- https://github.com/discourse/discourse/security/advisories/GHSA-c876-638r-vfcg
- https://nvd.nist.gov/vuln/detail/CVE-2023-46130
Affected packages
Bitnami / discourse
Package
- Name
- discourse
- Purl
- pkg:bitnami/discourse
Severity
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator