VYPR

Bitnami package

discourse

pkg:bitnami/discourse

Vulnerabilities (246)

  • CVE-2025-54411Aug 19, 2025
    affected < 3.5.0fixed 3.5.0

    Discourse is an open-source discussion platform. Welcome banner user name string for logged in users can be vulnerable to XSS attacks, which affect the user themselves or an admin impersonating them. Admins can temporarily alter the welcome_banner.header.logged_in_members site te

  • CVE-2025-53102Jul 29, 2025
    affected < 3.4.7fixed 3.4.7

    Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The cha

  • CVE-2025-49845Jun 25, 2025
    affected < 3.4.6fixed 3.4.6

    Discourse is an open-source discussion platform. The visibility of posts typed `whisper` is controlled via the `whispers_allowed_groups` site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed `whisper`. However, it has been di

  • CVE-2025-48954Jun 25, 2025
    affected < 3.5.0fixed 3.5.0

    Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy

  • CVE-2025-48877Jun 9, 2025
    affected < 3.4.4fixed 3.4.4

    Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potenti

  • CVE-2025-48062Jun 9, 2025
    affected < 3.4.4fixed 3.4.4

    Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topi

  • CVE-2025-48053Jun 9, 2025
    affected < 3.4.4fixed 3.4.4

    Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, sending a malicious URL in a PM to a bot user can cause a reduced the availability o

  • CVE-2025-32376Apr 30, 2025
    affected < 3.4.3fixed 3.4.3

    Discourse is an open-source discussion platform. Prior to versions 3.4.3 on the stable branch and 3.5.0.beta3 on the beta branch, the users limit for a DM can be bypassed, thus giving the ability to potentially create a DM with every user from a site in it. This issue has been pa

  • CVE-2025-24972Mar 26, 2025
    affected < 3.4.0fixed 3.4.0

    Discourse is an open-source discussion platform. Prior to versions `3.3.4` on the `stable` branch and `3.4.0.beta5` on the `beta` branch, in specific circumstances, users could be added to group direct messages despite disabling direct messaging in their preferences. Versions `3.

  • CVE-2025-24808Mar 26, 2025
    affected < 3.4.0fixed 3.4.0

    Discourse is an open-source discussion platform. Prior to versions `3.3.4` on the `stable` branch and `3.4.0.beta5` on the `beta` branch, someone who is about to reach the limit of users in a group DM may send requests to add new users in parallel. The requests might all go throu

  • CVE-2024-53266Feb 4, 2025
    affected < 3.3.3fixed 3.3.3

    Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users

  • CVE-2024-53851Feb 4, 2025
    affected < 3.3.3fixed 3.3.3

    Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app

  • CVE-2024-53994Feb 4, 2025
    affected < 3.3.3fixed 3.3.3

    Discourse is an open source platform for community discussion. In affected versions users who disable chat in preferences could still be reachable in some cases. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrad

  • CVE-2024-55948Feb 4, 2025
    affected < 3.3.2fixed 3.3.2

    Discourse is an open source platform for community discussion. In affected versions an attacker can make craft an XHR request to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only affects anonymous visitors of the

  • CVE-2024-56197Feb 4, 2025
    affected < 3.4.0fixed 3.4.0

    Discourse is an open source platform for community discussion. PM titles and metadata can be read by other users when the "PM tags allowed for groups" option is enabled, the other user is a member of a group added to this option, and the PM has been tagged. This issue has been pa

  • CVE-2024-56328Feb 4, 2025
    affected < 3.4.0fixed 3.4.0

    Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Disc

  • CVE-2025-22602Feb 4, 2025
    affected < 3.4.0fixed 3.4.0

    Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patche

  • CVE-2025-23023Feb 4, 2025
    affected < 3.3.2fixed 3.3.2

    Discourse is an open source platform for community discussion. In affected versions an attacker can carefully craft a request with the right request headers to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only af

  • CVE-2024-49765Dec 19, 2024
    affected < 3.3.3fixed 3.3.3

    Discourse is an open source platform for community discussion. Sites that are using discourse connect but still have local logins enabled could allow attackers to bypass discourse connect to create accounts and login. This problem is patched in the latest version of Discourse. Us

  • CVE-2024-52589Dec 19, 2024
    affected < 3.3.3fixed 3.3.3

    Discourse is an open source platform for community discussion. Moderators can see the Screened emails list in the admin dashboard, and through that can learn the email of a user. This problem is patched in the latest version of Discourse. Users unable to upgrade should remove mod

Page 6 of 13