Inclusion of Functionality from Untrusted Control Sphere

CVE-2022-24824

Medium

5.3/10

Summary

Discourse is an open source platform for community discussion. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown the crawler view of the site instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no known workarounds for this issue.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: LOW

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References

Advisory Timeline

Published Apr 14, 2022

Inclusion of Functionality from Untrusted Control Sphere

CVE-2022-24824

Summary

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS