In a statement, the Cybersecurity and Infrastructure Security Agency (CISA) warned of a critical security flaw in Discourse, an open source discussion platform. According to the report, the flaw resides in the upstream gem aws-sdk-sns and is described as a validation error whose exploitation would allow remote code execution through a specially crafted request.

As some users may know, Discosure is a software solution for managing mailing lists and Internet forums and controlling long-form chat rooms, as well as providing live updates and attachment functionality.

The flaw was tracked as CVE-2021-41163 and received a score of 10/10 according to the Common Vulnerability Scoring System (CVSS). Both CISA and Discourse point out that the flaw exists due to insufficient validation of the values subscribe_url. The developers released a patch and refused to share additional technical details due to the possibility of active exploitation.

This bug was fixed in Discourse versions 2.7.9 and 2.8.0.beta7, so developers should upgrade to any of these versions to fully mitigate the security risks associated with the flaw. In case you cannot upgrade right now, users are encouraged to implement a block of any request that begins with the /webhooks/aws prefix in an upstream proxy.

According to developers, Discourse has more than 14,000 active installations worldwide, although it’s hard to know exactly how many users might be affected by this flaw.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post CVE-2021-41163 Discourse forum software vulnerability can be very dangerous warns CISA appeared first on Information Security Newspaper | Hacking News.

source

You May Also Like

CVE-2022-0847 New Critical Privilege Escalation Vulnerability in Linux presented in Black Hat :Dirty Cred

The Dirty Cred Linux kernel attack was unveiled at the Black Hat…

Remote code execution flaw in VMware Workstation and Fusion: Patch immediately

Information security specialists reported the finding of a critical vulnerability affecting VMware…

Critical BIOS vulnerabilities affect Lenovo Desktop, Desktop AIO, Smart Edge, Smart Office, ThinkStation, and ThinkSystem models

Four BIOS-related vulnerabilities have recently been discovered, according to a new security…

2 critical vulnerabilities exploitable remotely in trailer brake controllers can cause accidents on highways

Cybersecurity specialists report the detection of two critical vulnerabilities in Power Line…