222 matches found
CVE-2023-28440
CVE-2023-28440 affects Discourse: an admin-authenticated request can trigger a long-running operation, leading to a denial of service (availability impact) in affected builds. Public records identify the vulnerability as a Denial of Service via the admin theme import route, with mitigation by upg...
CVE-2023-28440 Denial of service via admin theme import route in Discourse
Discourse is an open source platform for community discussion. In affected versions a maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where admins are untruste...
Design/Logic Flaw
Discourse is an open source platform for community discussion. Tags that are normally private are showing in metadata. This affects any site running the tests-passed or beta branches = 3.1.0.beta2. The issue is patched in the latest beta and tests-passed version of Discourse...
CVE-2023-25819
Discourse vulnerability CVE-2023-25819: metadata leakage where normally private tags are exposed in og:article and related metadata for sites running the tests-passed or beta branches >= 3.1.0.beta2. The issue affects Discourse and is patched in the latest beta and tests-passed releases. Root ...
CVE-2023-25819 Discourse tags with no visibility are leaking into og:article:tag
Discourse is an open source platform for community discussion. Tags that are normally private are showing in metadata. This affects any site running the tests-passed or beta branches = 3.1.0.beta2. The issue is patched in the latest beta and tests-passed version of Discourse...
CVE-2023-25819 Discourse tags with no visibility are leaking into og:article:tag
Discourse is an open source platform for community discussion. Tags that are normally private are showing in metadata. This affects any site running the tests-passed or beta branches = 3.1.0.beta2. The issue is patched in the latest beta and tests-passed version of Discourse...
Design/Logic Flaw
Discourse is an open source platform for community discussion. Versions prior to 3.1.0.beta1 beta tests-passed are vulnerable to Allocation of Resources Without Limits. Users can create chat drafts of an unlimited length, which can cause a denial of service by generating an excessive load on the...
CVE-2023-22739
Discourse is an open source platform for community discussion. Versions prior to 3.0.1 stable, 3.1.0.beta2 beta, and 3.1.0.beta2 tests-passed are subject to Allocation of Resources Without Limits or Throttling. As there is no limit on data contained in a draft, a malicious user can create an...
Command injection
Discourse is an open source platform for community discussion. Versions prior to 3.0.1 stable, 3.1.0.beta2 beta, and 3.1.0.beta2 tests-passed are subject to Allocation of Resources Without Limits or Throttling. As there is no limit on data contained in a draft, a malicious user can create an...
Cross site scripting
Discourse is an open source platform for community discussion. Versions prior to 2.8.13 stable, 3.0.0.beta16 beta and 3.0.0beta16 tests-passed, are vulnerable to cross-site Scripting. A maliciously crafted URL can be included in a post to carry out cross-site scripting attacks on sites with...
CVE-2023-22739
CVE-2023-22739 affects Discourse. Versions prior to 3.0.1 (stable) and 3.1.0.beta2 (beta/tests-passed) are vulnerable to unbounded draft data, enabling a malicious user to create an arbitrarily large draft and cause the instance to crawl. Root cause: Allocation of Resources Without Limits or Thro...
CVE-2023-22739 Discourse subject to Allocation of Resources Without Limits or Throttling
Discourse is an open source platform for community discussion. Versions prior to 3.0.1 stable, 3.1.0.beta2 beta, and 3.1.0.beta2 tests-passed are subject to Allocation of Resources Without Limits or Throttling. As there is no limit on data contained in a draft, a malicious user can create an...
CVE-2023-22468
CVE-2023-22468 relates to a cross-site scripting vulnerability in Discourse. Publicly documented versions prior to 2.8.13 (stable) and 3.0.0.beta16 (beta and tests-passed) are affected by a crafted URL that can be included in a post to trigger XSS on sites with insecure CSP. Discourse’s default C...
Discourse Cross-Site Scripting Vulnerability
Discourse is an open source community discussion platform. The platform includes features such as community, email and chat rooms. A cross-site scripting vulnerability exists in Discourse version 2.8.10 and earlier, 2.9.0.beta11 and earlier, which can be exploited by attackers to inject malicious...
CVE-2022-39356
Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is...
CVE-2022-39241
Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a...
CVE-2022-39378
Discourse is a platform for community discussion. Under certain conditions, a user badge may have been awarded based on a user's activity in a topic with restricted access. Before this vulnerability was disclosed, the topic title of the topic associated with the user badge may be viewed by any...
Information disclosure
Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is...
Improper access control
Discourse is a platform for community discussion. Under certain conditions, a user badge may have been awarded based on a user's activity in a topic with restricted access. Before this vulnerability was disclosed, the topic title of the topic associated with the user badge may be viewed by any...
Discourse 安全漏洞
Discourse is an open source community discussion platform. The platform includes features such as communities, email and chat rooms. A security vulnerability exists in Discourse. An attacker exploited the vulnerability to cause sensitive information to be disclosed...