CVE-2024-49765 | ByteOS Network

Vulnerability Details :

CVE-2024-49765

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-19 Dec, 2024 | 19:15

Updated At-20 Dec, 2024 | 20:00

Bypass of Discourse Connect using other login paths if enabled in Discourse

Discourse is an open source platform for community discussion. Sites that are using discourse connect but still have local logins enabled could allow attackers to bypass discourse connect to create accounts and login. This problem is patched in the latest version of Discourse. Users unable to upgrade who are using discourse connect may disable all other login methods as a workaround.

EPSS History

Score

Latest Score

-

N/A

Percentile

Latest Percentile

-

N/A

▼Common Vulnerabilities and Exposures (CVE)

Assigner:GitHub_M

Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa

Published At:19 Dec, 2024 | 19:15

Updated At:20 Dec, 2024 | 20:00

▼CVE Numbering Authority (CNA)

Bypass of Discourse Connect using other login paths if enabled in Discourse

Discourse is an open source platform for community discussion. Sites that are using discourse connect but still have local logins enabled could allow attackers to bypass discourse connect to create accounts and login. This problem is patched in the latest version of Discourse. Users unable to upgrade who are using discourse connect may disable all other login methods as a workaround.

Affected Products

Vendor

Civilized Discourse Construction Kit, Inc.

Product

Versions

Affected

stable: <= 3.3.2
beta: <= 3.4.0.beta3
tests-passed: <= 3.4.0.beta3

Problem Types

Type	CWE ID	Description
CWE	CWE-359	CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Type: CWE

CWE ID: CWE-359

Description: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Metrics

Version	Base score	Base severity	Vector
3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Version: 3.1

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Hyperlink	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-v8rf-pvgm-xxf2	x_refsource_CONFIRM

Hyperlink: https://github.com/discourse/discourse/security/advisories/GHSA-v8rf-pvgm-xxf2

Resource:

x_refsource_CONFIRM

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

Source:security-advisories@github.com

Published At:19 Dec, 2024 | 20:15

Updated At:26 Aug, 2025 | 02:19

Discourse is an open source platform for community discussion. Sites that are using discourse connect but still have local logins enabled could allow attackers to bypass discourse connect to create accounts and login. This problem is patched in the latest version of Discourse. Users unable to upgrade who are using discourse connect may disable all other login methods as a workaround.

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary	3.1	9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Type: Secondary

Version: 3.1

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Type: Primary

Version: 3.1

Base score: 9.1

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CPE Matches

Civilized Discourse Construction Kit, Inc.

>>discourse>>Versions before 3.3.3(exclusive)

cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>Versions before 3.4.0(exclusive)

cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>Versions before 3.4.0(exclusive)

cpe:2.3:a:discourse:discourse:*:-:*:*:tests-passed:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>3.4.0

cpe:2.3:a:discourse:discourse:3.4.0:-:*:*:beta:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>3.4.0

cpe:2.3:a:discourse:discourse:3.4.0:-:*:*:tests-passed:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>3.4.0

cpe:2.3:a:discourse:discourse:3.4.0:beta1:*:*:beta:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>3.4.0

cpe:2.3:a:discourse:discourse:3.4.0:beta1:*:*:tests-passed:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>3.4.0

cpe:2.3:a:discourse:discourse:3.4.0:beta2:*:*:beta:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>3.4.0

cpe:2.3:a:discourse:discourse:3.4.0:beta2:*:*:tests-passed:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>3.4.0

cpe:2.3:a:discourse:discourse:3.4.0:beta3:*:*:beta:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>3.4.0

cpe:2.3:a:discourse:discourse:3.4.0:beta3:*:*:tests-passed:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-359	Primary	security-advisories@github.com

CWE ID: CWE-359

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-v8rf-pvgm-xxf2	security-advisories@github.com	Vendor Advisory

Hyperlink: https://github.com/discourse/discourse/security/advisories/GHSA-v8rf-pvgm-xxf2

Source: security-advisories@github.com

Resource:

Vendor Advisory