Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a malicious actor can add large payloads of text into the Location and Website fields of a user profile, which causes issues for other users when loading that profile. A fix to limit the length of user input for these fields is included in version 2.8.9 on the `stable` branch and version 2.9.0.beta10 on the `beta` and `tests-passed` branches. There are no known workarounds.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
| Link | Tags |
|---|---|
| https://github.com/discourse/discourse/security/advisories/GHSA-jw3q-xg5g-qjrw | third party advisory |
| https://github.com/discourse/discourse/pull/18302 | third party advisory patch |
| https://github.com/discourse/discourse/commit/e69f7d2fd9c977dedbdb17f6813651e2a45bfb71 | third party advisory patch |