CVE-2023-45147: 
NixOS vulnerability analysis and mitigation

Discourse, an open source community platform, was found to contain a vulnerability (CVE-2023-45147) where any user could create a topic and add arbitrary custom fields to it. The vulnerability was discovered and disclosed on October 16, 2023, affecting Discourse versions prior to 3.1.1 on the stable branch and versions prior to 3.2.0.beta2 on the beta branch (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 3.1 LOW by NIST and 4.9 MEDIUM by GitHub with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability allows authenticated users with low privileges to add arbitrary custom fields to topics, with the attack vector being network-based but requiring high attack complexity (NVD).

The severity and impact of this vulnerability are dependent on the installed plugins and how they utilize topic custom fields. For a default Discourse installation with standard plugins, the vulnerability has no direct impact. However, in installations with plugins that use topic custom fields in security-sensitive code paths, the vulnerability could potentially lead to security issues (GitHub Advisory).

The vulnerability has been patched in Discourse version 3.1.1 for the stable branch and version 3.2.0.beta2 for the beta branch. Users are advised to update to these versions or later. For those unable to upgrade immediately, a temporary workaround is to disable any plugins that access topic custom fields, particularly if they use these fields in security-sensitive code paths (GitHub Advisory).