← voltar
CVE-2025-59337

Discourse: Cross-Site Data Exposure via Backup Restore Metacommand Injection in Multisite Deployments

CVSS 5.5 MEDIUMEPSS 0.3%CWE-77
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 5.5EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
01 out 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Discourse is an open-source community discussion platform. In versions 3.5.0 and below, malicious meta-commands could be embedded in a backup dump and executed during restore. In multisite setups, this allowed an admin of one site to access data or credentials from other sites. This issue is fixed in version 3.5.1.
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H
Produtos afetados
discourse · discourse

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/discourse/discourse/commit/43536b60d012cc8084e7e701d6afab9ba01e28a5https://github.com/discourse/discourse/security/advisories/GHSA-7xjr-4f4g-9887