VYPR

Bitnami package

discourse

pkg:bitnami/discourse

Vulnerabilities (246)

  • CVE-2024-24827Mar 15, 2024
    affected < 3.2.1fixed 3.2.1

    Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact vari

  • CVE-2024-23834Jan 30, 2024
    affected < 3.2.0fixed 3.2.0

    Discourse is an open-source discussion platform. Improperly sanitized user input could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. The vulnerability is patched in 3.1

  • CVE-2023-49099Jan 12, 2024
    affected < 3.1.4fixed 3.1.4

    Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4.

  • CVE-2024-21655Jan 12, 2024
    affected < 3.1.4fixed 3.1.4

    Discourse is a platform for community discussion. For fields that are client editable, limits on sizes are not imposed. This allows a malicious actor to cause a Discourse instance to use excessive disk space and also often excessive bandwidth. The issue is patched 3.1.4 and 3.2.0

  • CVE-2023-48297Jan 12, 2024
    affected < 3.1.4fixed 3.1.4

    Discourse is a platform for community discussion. The message serializer uses the full list of expanded chat mentions (@all and @here) which can lead to a very long array of users. This issue was patched in versions 3.1.4 and beta 3.2.0.beta5.

  • CVE-2023-47121Nov 10, 2023
    affected < 3.2.0fixed 3.2.0

    Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, the embedding feature is susceptible to server side request forgery. The issue is patched in version 3.1

  • CVE-2023-47120Nov 10, 2023
    affected >= 3.1.0, < 3.1.3fixed 3.1.3

    Discourse is an open source platform for community discussion. In versions 3.1.0 through 3.1.2 of the `stable` branch and versions 3.1.0,beta6 through 3.2.0.beta2 of the `beta` and `tests-passed` branches, Redis memory can be depleted by crafting a site with an abnormally long fa

  • CVE-2023-47119Nov 10, 2023
    affected < 3.2.0fixed 3.2.0

    Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched

  • CVE-2023-46130Nov 10, 2023
    affected < 3.2.0fixed 3.2.0

    Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some theme components allow users to add svgs with unlimited `height` attributes, and this can affect th

  • CVE-2023-45816Nov 10, 2023
    affected < 3.2.0fixed 3.2.0

    Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, there is an edge case where a bookmark reminder is sent and an unread notification is generated, but the

  • CVE-2023-45806Nov 10, 2023
    affected < 3.2.0fixed 3.2.0

    Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, if a user has been quoted and uses a `|` in their full name, they might be able to trigger a bug that ge

  • CVE-2023-45131Oct 16, 2023
    affected <= 3.1.1

    Discourse is an open source platform for community discussion. New chat messages can be read by making an unauthenticated POST request to MessageBus. This issue is patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. Users are advised to upgrade. There are no known

  • CVE-2023-44391Oct 16, 2023
    affected <= 3.1.1

    Discourse is an open source platform for community discussion. User summaries are accessible for anonymous users even when `hide_user_profiles_from_public` is enabled. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 version of Discourse. Users are advised to upg

  • CVE-2023-44388Oct 16, 2023
    affected <= 3.1.1

    Discourse is an open source platform for community discussion. A malicious request can cause production log files to quickly fill up and thus result in the server running out of disk space. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. I

  • CVE-2023-43814Oct 16, 2023
    affected <= 3.1.1

    Discourse is an open source platform for community discussion. Attackers with details specific to a poll in a topic can use the `/polls/grouped_poll_results` endpoint to view the content of options in the poll and the number of votes for groups of poll participants. This impacts

  • CVE-2023-43659Oct 16, 2023
    affected <= 3.1.1

    Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as wel

  • CVE-2023-45147Oct 16, 2023
    affected <= 3.1.1

    Discourse is an open source community platform. In affected versions any user can create a topic and add arbitrary custom fields to a topic. The severity of this vulnerability depends on what plugins are installed and how the plugins uses topic custom fields. For a default Discou

  • CVE-2023-41043Sep 15, 2023
    affected < 3.1.1fixed 3.1.1

    Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious admin could create extremely large icons sprites, which would then be cached in each server process. This

  • CVE-2023-41042Sep 15, 2023
    affected < 3.1.1fixed 3.1.1

    Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, importing a remote theme loads their assets into memory without enforcing limits for file size or number of files. The

  • CVE-2023-40588Sep 15, 2023
    affected < 3.1.1fixed 3.1.1

    Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user could add a 2FA or security key with a carefully crafted name to their account and cause a denial of

Page 8 of 13