CVE-2024-23654

HIGH Year: 2024
CVSS v3 Score
7.2
High
Weakness Type
CWE-918
View all →

Vulnerability Description

discourse-ai is the AI plugin for the open-source discussion platform Discourse. Prior to commit 94ba0dadc2cf38e8f81c3936974c167219878edd, interactions with different AI services are vulnerable to admin-initiated SSRF attacks. Versions of the plugin that include commit 94ba0dadc2cf38e8f81c3936974c167219878edd contain a patch. As a workaround, one may disable the discourse-ai plugin.

Related Vulnerabilities

CVE-2015-7570

HIGH
CVSS:7.2(High)

Multiple server-side request forgery (SSRF) vulnerabilities in Yeager CMS 1.2.1 allow remote attackers to trigger outbound requests and enumerate open ports via the dbhost parameter to libs/org/adodb_...

CWE-9182015

CVE-2017-14585

HIGH
CVSS:7.2(High)

A Server Side Request Forgery (SSRF) vulnerability could lead to remote code execution for authenticated administrators. This issue was introduced in version 2.2.0 of Hipchat Server and version 3.0.0 ...

CWE-9182017

CVE-2017-18096

HIGH
CVSS:7.2(High)

The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the...

CWE-9182017

CVE-2018-13790

HIGH
CVSS:7.2(High)

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL f...

CWE-9182018

CVE-2018-20499

HIGH
CVSS:7.2(High)

An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF.

CWE-9182018

CVE-2019-19999

HIGH
CVSS:7.2(High)

Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.

CWE-9182019