CVE-2020-24327: 
NixOS vulnerability analysis and mitigation

Server Side Request Forgery (SSRF) vulnerability exists in Discourse versions 2.3.2 and 2.6 via the email function. The vulnerability allows attackers to exploit the image upload functionality when writing emails in the editor to upload pictures from remote websites (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The issue specifically occurs in the email composition functionality where users can upload images from remote websites. When this feature is used, the application makes a GET request to the specified remote server to fetch the image (GitHub PR).

The vulnerability allows an attacker to make the Discourse server perform unauthorized GET requests to arbitrary URLs, potentially accessing internal resources or services that should not be accessible from external networks. This could lead to information disclosure or access to internal systems (NVD).

The issue has been addressed through a pull request to the Discourse repository. Users should upgrade to a version after 2.6 that includes the security fix (GitHub PR).