Filtered by vendor Discourse
Subscribe
Total
98 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-43789 | 1 Discourse | 1 Discourse | 2024-10-19 | N/A | 4.3 MEDIUM |
| Discourse is an open source platform for community discussion. A user can create a post with many replies, and then attempt to fetch them all at once. This can potentially reduce the availability of a Discourse instance. This problem has been patched in the latest version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-45051 | 1 Discourse | 1 Discourse | 2024-10-19 | N/A | 8.2 HIGH |
| Discourse is an open source platform for community discussion. A maliciously crafted email address could allow an attacker to bypass domain-based restrictions and gain access to private sites, categories and/or groups. This issue has been patched in the latest stable, beta and tests-passed version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-45297 | 1 Discourse | 1 Discourse | 2024-10-19 | N/A | 4.3 MEDIUM |
| Discourse is an open source platform for community discussion. Users can see topics with a hidden tag if they know the label/name of that tag. This issue has been patched in the latest stable, beta and tests-passed version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-47772 | 1 Discourse | 1 Discourse | 2024-10-19 | N/A | 6.1 MEDIUM |
| Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of Discourse. All users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum. Users who do upgrade should also consider enabling a CSP as well as a proactive measure. | |||||
| CVE-2024-45303 | 1 Discourse | 1 Calendar | 2024-09-18 | N/A | 6.1 MEDIUM |
| Discourse Calendar plugin adds the ability to create a dynamic calendar in the first post of a topic to Discourse. Rendering event names can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. The issue is patched in version 0.5 of the Discourse Calendar plugin. | |||||
| CVE-2024-35234 | 1 Discourse | 1 Discourse | 2024-09-18 | N/A | 6.1 MEDIUM |
| Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta tags. This issue only affects sites with Content Security Polic (CSP) disabled. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. As a workaround, ensure CSP is enabled on the forum. | |||||
| CVE-2024-36113 | 1 Discourse | 1 Discourse | 2024-09-18 | N/A | 6.5 MEDIUM |
| Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available. | |||||
| CVE-2024-36122 | 1 Discourse | 1 Discourse | 2024-09-18 | N/A | 4.3 MEDIUM |
| Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses setting is disabled. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. As possible workarounds, either prevent moderators from accessing the review queue or disable the approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue. | |||||
| CVE-2024-37157 | 1 Discourse | 1 Discourse | 2024-09-18 | N/A | 5.3 MEDIUM |
| Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, a malicious actor could get the FastImage library to redirect requests to an internal Discourse IP. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. No known workarounds are available. | |||||
| CVE-2024-39320 | 1 Discourse | 1 Discourse | 2024-09-11 | N/A | 6.1 MEDIUM |
| Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5. | |||||
| CVE-2024-37299 | 1 Discourse | 1 Discourse | 2024-09-11 | N/A | 7.5 HIGH |
| Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, crafting requests to submit very long tag group names can reduce the availability of a Discourse instance. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5. | |||||
| CVE-2024-37165 | 1 Discourse | 1 Discourse | 2024-09-11 | N/A | 6.1 MEDIUM |
| Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3. | |||||
| CVE-2024-21658 | 1 Discourse | 1 Discourse Calendar | 2024-09-05 | N/A | 4.3 MEDIUM |
| discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible. | |||||
| CVE-2024-24755 | 1 Discourse | 1 Group Membership Ip Blocks | 2024-02-09 | N/A | 5.3 MEDIUM |
| discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom fields to remain secret. | |||||
| CVE-2024-23834 | 1 Discourse | 1 Discourse | 2024-02-08 | N/A | 6.1 MEDIUM |
| Discourse is an open-source discussion platform. Improperly sanitized user input could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. The vulnerability is patched in 3.1.5 and 3.2.0.beta5. As a workaround, ensure Content Security Policy is enabled and does not include `unsafe-inline`. | |||||
| CVE-2023-48297 | 1 Discourse | 1 Discourse | 2024-02-05 | N/A | 7.5 HIGH |
| Discourse is a platform for community discussion. The message serializer uses the full list of expanded chat mentions (@all and @here) which can lead to a very long array of users. This issue was patched in versions 3.1.4 and beta 3.2.0.beta5. | |||||
| CVE-2023-49099 | 1 Discourse | 1 Discourse | 2024-02-05 | N/A | 4.3 MEDIUM |
| Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4. | |||||
| CVE-2024-21655 | 1 Discourse | 1 Discourse | 2024-02-05 | N/A | 4.3 MEDIUM |
| Discourse is a platform for community discussion. For fields that are client editable, limits on sizes are not imposed. This allows a malicious actor to cause a Discourse instance to use excessive disk space and also often excessive bandwidth. The issue is patched 3.1.4 and 3.2.0.beta4. | |||||
| CVE-2023-49098 | 1 Discourse | 1 Discourse Reactions | 2024-02-05 | N/A | 3.5 LOW |
| Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939. | |||||
| CVE-2023-36818 | 1 Discourse | 1 Discourse | 2024-02-05 | N/A | 7.5 HIGH |
| Discourse is an open source discussion platform. In affected versions a request to create or update custom sidebar section can cause a denial of service. This issue has been patched in commit `52b003d915`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||