VYPR

Bitnami package

discourse

pkg:bitnami/discourse

Vulnerabilities (246)

  • CVE-2022-46168Jan 5, 2023
    affected < 2.8.14fixed 2.8.14

    Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta15 on the `beta` and `tests-passed` branches, recipients of a group SMTP email could see the email addresses of all other users inside the group SMTP topic. Mos

  • CVE-2022-23549Jan 5, 2023
    affected < 2.8.14fixed 2.8.14

    Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are

  • CVE-2022-23548Jan 5, 2023
    affected < 2.8.14fixed 2.8.14

    Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in

  • CVE-2022-46159Dec 2, 2022
    affected < 2.8.14fixed 2.8.14

    Discourse is an open-source discussion platform. In version 2.8.13 and prior on the `stable` branch and version 2.9.0.beta14 and prior on the `beta` and `tests-passed` branches, any authenticated user can create an unlisted topic. These topics, which are not readily available to

  • CVE-2022-46150Nov 29, 2022
    affected < 2.8.13fixed 2.8.13

    Discourse is an open-source discussion platform. Prior to version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches, unauthorized users may learn of the existence of hidden tags and that they have been applied to topics that they hav

  • CVE-2022-46148Nov 29, 2022
    affected < 2.8.11fixed 2.8.11

    Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the `stable` branch and versions 2.9.0.beta11 and prior on the `beta` and `tests-passed` branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability c

  • CVE-2022-41944Nov 28, 2022
    affected < 2.8.12fixed 2.8.12

    Discourse is an open-source discussion platform. In stable versions prior to 2.8.12 and beta or tests-passed versions prior to 2.9.0.beta.13, under certain conditions, a user can see notifications for topics they no longer have access to. If there is sensitive information in the

  • CVE-2022-41921Nov 28, 2022
    affected < 2.9.0fixed 2.9.0

    Discourse is an open-source discussion platform. Prior to version 2.9.0.beta13, users can post chat messages of an unlimited length, which can cause a denial of service for other users when posting huge amounts of text. Users should upgrade to version 2.9.0.beta13, where a limit

  • CVE-2022-39385Nov 14, 2022
    affected < 2.8.10fixed 2.8.10

    Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This

  • CVE-2022-39378Nov 2, 2022
    affected < 2.8.9fixed 2.8.9

    Discourse is a platform for community discussion. Under certain conditions, a user badge may have been awarded based on a user's activity in a topic with restricted access. Before this vulnerability was disclosed, the topic title of the topic associated with the user badge may be

  • CVE-2022-39356Nov 2, 2022
    affected < 2.8.10fixed 2.8.10

    Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version.

  • CVE-2022-39241Nov 2, 2022
    affected < 2.8.10fixed 2.8.10

    Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest `stable`, `beta`, and `test-passed` versions are

  • CVE-2022-39232Sep 29, 2022
    affected >= 2.9.0-beta5, <= 2.9.0-beta5

    Discourse is an open source discussion platform. Starting with version 2.9.0.beta5 and prior to version 2.9.0.beta10, an incomplete quote can generate a JavaScript error which will crash the current page in the browser in some cases. Version 2.9.0.beta10 added a fix and tests to

  • CVE-2022-39226Sep 29, 2022
    affected < 2.8.9fixed 2.8.9

    Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a malicious actor can add large payloads of text into the Location and Website fields of a user profile, which c

  • CVE-2022-36068Sep 29, 2022
    affected < 2.8.9fixed 2.8.9

    Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a moderator can create new and edit existing themes by using the API when they should not be able to do so. The

  • CVE-2022-36066Sep 29, 2022
    affected < 2.8.9fixed 2.8.9

    Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigge

  • CVE-2022-37458Sep 2, 2022
    affected < 2.8.8fixed 2.8.8

    Discourse through 2.8.7 allows admins to send invitations to arbitrary email addresses at an unlimited rate.

  • CVE-2022-31184Aug 1, 2022
    affected <= 2.8.6

    Discourse is the an open source discussion platform. In affected versions an email activation route can be abused to send mass spam emails. A fix has been included in the latest stable, beta and tests-passed versions of Discourse which rate limits emails. Users are advised to upg

  • CVE-2022-31182Aug 1, 2022
    affected < 2.8.7fixed 2.8.7

    Discourse is the an open source discussion platform. In affected versions a maliciously crafted request for static assets could cause error responses to be cached by Discourse's default NGINX proxy configuration. A corrected NGINX configuration is included in the latest stable, b

  • CVE-2022-31096Jun 27, 2022
    affected <= 2.8.4

    Discourse is an open source discussion platform. Under certain conditions, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggravated