Cyber Resilience

CVE-2024-47773

High

Published: 08 October 2024

Published
08 October 2024
Modified
26 August 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0785 92.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-47773 is a high-severity Externally Controlled Reference to a Resource in Another Sphere (CWE-610) vulnerability in Discourse Discourse. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Discourse, an open source discussion platform, contains a cache poisoning vulnerability that allows an attacker to issue multiple XHR requests and replace cached responses with versions that lack preloaded data. The flaw is restricted to responses served to anonymous visitors and stems from insufficient validation of cacheable content before it is stored and replayed.

An unauthenticated remote attacker can exploit the issue over the network to corrupt the anonymous cache, resulting in integrity violations for site content delivered to unauthenticated users and a limited availability impact. The CVSS 8.2 score reflects the absence of required authentication or user interaction combined with the ability to affect integrity without direct code execution.

The GitHub Security Advisory GHSA-58vv-9j8h-hw2v states that the problem is fixed in the current release of Discourse. Administrators who cannot upgrade immediately may set the DISCOURSE_DISABLE_ANON_CACHE environment variable to any non-empty value to disable the affected caching layer for anonymous requests. The EPSS score has remained flat at 0.0785 with no material increase since disclosure.

EU & UK References

Vulnerability details

Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has…

more

been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2024-47773 enables unauthenticated remote exploitation of the public-facing Discourse web application via anonymous cache poisoning through XHR requests, allowing attackers to manipulate cached responses served to anonymous visitors.

Affected Assets

discourse
discourse
≤ 3.3.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-610

Limits impact of an externally controlled reference to a primary information resource by switching to an identified alternative.

References