CISA Urges Sites to Patch Critical RCE in Discourse

The patch, urgently rushed out on Friday, is an emergency fix for the widely deployed platform, whose No. 1 most trafficked site is Amazon’s Seller Central.

Discourse – the ultra-popular, widely deployed open-source community forum and mailing list management platform – has a critical remote code-execution (RCE) bug that was fixed in an urgent update on Friday.

Tracked as CVE-2021-41163, the flaw is found in Discourse versions 2.7.8 and earlier. It’s rated with a tip-top CVSS severity score of 10 and should be considered an emergency fix.

Discourse is widely used and wildly popular, being known for topping competing forum software platforms in terms of usability. It offers features that have been popularized by social-media networks, such as infinite scrolling, live updates, drag-and-drop attachments and more.

According to market-share and web-usage statistics, the top website using Discourse is sellercentral.amazon.com, which sees a flood of 30 million monthly users. Discourse is also used to run the community forum for the popular radio show Car Talk.

Top websites using Discourse. Source: SimilarTech.

Given Discourse’s widespread use, the Cybersecurity and Infrastructure Agency (CISA) on Sunday urged developers

Read More: https://threatpost.com/cisa-critical-rce-discourse/175705/