{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-49099","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2023-11-21T18:57:30.430Z","datePublished":"2024-01-12T20:53:53.163Z","dateUpdated":"2025-06-17T21:09:17.903Z"},"containers":{"cna":{"title":"Discourse secure uploads accessible to guests even when login is required","problemTypes":[{"descriptions":[{"cweId":"CWE-284","lang":"en","description":"CWE-284: Improper Access Control","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.1,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/discourse/discourse/security/advisories/GHSA-j67x-x6mq-pwv4","tags":["x_refsource_CONFIRM"],"url":"https://github.com/discourse/discourse/security/advisories/GHSA-j67x-x6mq-pwv4"},{"name":"https://github.com/discourse/discourse/commit/1b288236387fc0a823e4f15f1aea8dde81b49d53","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/commit/1b288236387fc0a823e4f15f1aea8dde81b49d53"}],"affected":[{"vendor":"discourse","product":"discourse","versions":[{"version":"< 3.1.4","status":"affected"},{"version":">= 3.2.0beta1, < 3.2.0.beta4","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-01-12T20:53:53.163Z"},"descriptions":[{"lang":"en","value":"Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4."}],"source":{"advisory":"GHSA-j67x-x6mq-pwv4","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T21:46:29.043Z"},"title":"CVE Program Container","references":[{"name":"https://github.com/discourse/discourse/security/advisories/GHSA-j67x-x6mq-pwv4","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/discourse/discourse/security/advisories/GHSA-j67x-x6mq-pwv4"},{"name":"https://github.com/discourse/discourse/commit/1b288236387fc0a823e4f15f1aea8dde81b49d53","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/discourse/discourse/commit/1b288236387fc0a823e4f15f1aea8dde81b49d53"}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2023-49099","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-01-12T21:50:57.085862Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-06-17T21:09:17.903Z"}}]}}