Bitnami package
discourse
pkg:bitnami/discourse
Vulnerabilities (233)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-43794 | — | < 2.7.11 | 2.7.11 | Dec 1, 2021 | Discourse is an open source discussion platform. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown a JSON blob instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched | ||
| CVE-2021-43792 | — | < 2.7.11 | 2.7.11 | Dec 1, 2021 | Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group (e.g. staff) to view certain tags. Users who were trac | ||
| CVE-2021-41271 | — | <= 2.7.9 | — | Nov 15, 2021 | Discourse is a platform for community discussion. In affected versions a maliciously crafted request could cause an error response to be cached by intermediate proxies. This could cause a loss of confidentiality for some content. This issue is patched in the latest stable, beta a | ||
| CVE-2021-41163 | — | < 2.7.9 | 2.7.9 | Oct 20, 2021 | Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed | ||
| CVE-2021-41095 | — | <= 2.7.7 | — | Sep 27, 2021 | Discourse is an open source discussion platform. There is a cross-site scripting (XSS) vulnerability in versions 2.7.7 and earlier of the `stable` branch, versions 2.8.0.beta6 and earlier of the `beta` branch, and versions 2.8.0.beta6 and earlier of the `tests-passed` branch. Ren | ||
| CVE-2020-24327 | — | >= 2.3.2, < 2.3.3 | 2.3.3 | Sep 23, 2021 | Server Side Request Forgery (SSRF) vulnerability exists in Discourse 2.3.2 and 2.6 via the email function. When writing an email in an editor, you can upload pictures of remote websites. | ||
| CVE-2021-39161 | — | < 2.7.8 | 2.7.8 | Aug 26, 2021 | Discourse is an open source platform for community discussion. In affected versions category names can be used for Cross-site scripting(XSS) attacks. This is mitigated by Discourse's default Content Security Policy and this vulnerability only affects sites which have modified or | ||
| CVE-2021-37703 | — | < 2.7.8 | 2.7.8 | Aug 13, 2021 | Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta5, a user's read state for a topic such as the last read post number and the notification level is exposed. | ||
| CVE-2021-37693 | — | < 2.7.8 | 2.7.8 | Aug 13, 2021 | Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the | ||
| CVE-2021-37633 | — | < 2.7.8 | 2.7.8 | Aug 9, 2021 | Discourse is an open source discussion platform. In versions prior to 2.7.8 rendering of d-popover tooltips can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy. This issue is patched | ||
| CVE-2021-32788 | — | < 2.7.7 | 2.7.7 | Jul 27, 2021 | Discourse is an open source discussion platform. In versions prior to 2.7.7 there are two bugs which led to the post creator of a whisper post being revealed to non-staff users. 1: Staff users that creates a whisper post in a personal message is revealed to non-staff participants | ||
| CVE-2021-32764 | — | <= 2.7.5 | — | Jul 15, 2021 | Discourse is an open-source discussion platform. In Discourse versions 2.7.5 and prior, parsing and rendering of YouTube Oneboxes can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy. | ||
| CVE-2021-3138 | — | <= 2.6.0 | — | Jan 14, 2021 | In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. |
- CVE-2021-43794Dec 1, 2021affected < 2.7.11fixed 2.7.11
Discourse is an open source discussion platform. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown a JSON blob instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched
- CVE-2021-43792Dec 1, 2021affected < 2.7.11fixed 2.7.11
Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group (e.g. staff) to view certain tags. Users who were trac
- CVE-2021-41271Nov 15, 2021affected <= 2.7.9
Discourse is a platform for community discussion. In affected versions a maliciously crafted request could cause an error response to be cached by intermediate proxies. This could cause a loss of confidentiality for some content. This issue is patched in the latest stable, beta a
- CVE-2021-41163Oct 20, 2021affected < 2.7.9fixed 2.7.9
Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed
- CVE-2021-41095Sep 27, 2021affected <= 2.7.7
Discourse is an open source discussion platform. There is a cross-site scripting (XSS) vulnerability in versions 2.7.7 and earlier of the `stable` branch, versions 2.8.0.beta6 and earlier of the `beta` branch, and versions 2.8.0.beta6 and earlier of the `tests-passed` branch. Ren
- CVE-2020-24327Sep 23, 2021affected >= 2.3.2, < 2.3.3fixed 2.3.3
Server Side Request Forgery (SSRF) vulnerability exists in Discourse 2.3.2 and 2.6 via the email function. When writing an email in an editor, you can upload pictures of remote websites.
- CVE-2021-39161Aug 26, 2021affected < 2.7.8fixed 2.7.8
Discourse is an open source platform for community discussion. In affected versions category names can be used for Cross-site scripting(XSS) attacks. This is mitigated by Discourse's default Content Security Policy and this vulnerability only affects sites which have modified or
- CVE-2021-37703Aug 13, 2021affected < 2.7.8fixed 2.7.8
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta5, a user's read state for a topic such as the last read post number and the notification level is exposed.
- CVE-2021-37693Aug 13, 2021affected < 2.7.8fixed 2.7.8
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the
- CVE-2021-37633Aug 9, 2021affected < 2.7.8fixed 2.7.8
Discourse is an open source discussion platform. In versions prior to 2.7.8 rendering of d-popover tooltips can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy. This issue is patched
- CVE-2021-32788Jul 27, 2021affected < 2.7.7fixed 2.7.7
Discourse is an open source discussion platform. In versions prior to 2.7.7 there are two bugs which led to the post creator of a whisper post being revealed to non-staff users. 1: Staff users that creates a whisper post in a personal message is revealed to non-staff participants
- CVE-2021-32764Jul 15, 2021affected <= 2.7.5
Discourse is an open-source discussion platform. In Discourse versions 2.7.5 and prior, parsing and rendering of YouTube Oneboxes can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy.
- CVE-2021-3138Jan 14, 2021affected <= 2.6.0
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.
Page 12 of 12