Bitnami package
discourse
pkg:bitnami/discourse
Vulnerabilities (246)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-38706 | — | < 3.1.1 | 3.1.1 | Sep 15, 2023 | Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user can create an unlimited number of drafts with very long draft keys which may end up exhausting the re | ||
| CVE-2023-38685 | — | < 3.0.6 | 3.0.6 | Jul 28, 2023 | Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, information about restricted-visibility topic tags could be obtained by unauthorized users. The issue is patched in ve | ||
| CVE-2023-38684 | — | < 3.0.6 | 3.0.6 | Jul 28, 2023 | Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, in multiple controller actions, Discourse accepts limit params but does not impose any upper bound on the values being | ||
| CVE-2023-38498 | — | < 3.0.6 | 3.0.6 | Jul 28, 2023 | Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can prevent the defer queue from proceeding promptly on sites hosted in the same multisite installati | ||
| CVE-2023-37906 | — | < 3.0.6 | 3.0.6 | Jul 28, 2023 | Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can edit a post in a topic and cause a DoS with a carefully crafted edit reason. The issue is patched | ||
| CVE-2023-37904 | — | < 3.0.6 | 3.0.6 | Jul 28, 2023 | Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, more users than permitted could be created from invite links. The issue is patched in version 3.0.6 of the `stable` br | ||
| CVE-2023-37467 | — | >= 1.1.0-beta1, <= 1.1.0-beta1 | — | Jul 28, 2023 | Discourse is an open source discussion platform. Prior to version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a CSP (Content Security Policy) nonce reuse vulnerability was discovered could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous | ||
| CVE-2023-36818 | — | >= 3.1.0-beta5, <= 3.1.0-beta5 | — | Jul 14, 2023 | Discourse is an open source discussion platform. In affected versions a request to create or update custom sidebar section can cause a denial of service. This issue has been patched in commit `52b003d915`. Users are advised to upgrade. There are no known workarounds for this vuln | ||
| CVE-2023-36466 | — | < 3.0.5 | 3.0.5 | Jul 14, 2023 | Discourse is an open source discussion platform. When editing a topic, there is a vulnerability that enables a user to bypass the topic title validations for things like title length, number of emojis in title and blank topic titles. The issue is patched in the latest stable, bet | ||
| CVE-2023-36473 | — | < 3.0.5 | 3.0.5 | Jul 13, 2023 | Discourse is an open source discussion platform. A CSP (Content Security Policy) nonce reuse vulnerability could allow XSS attacks to bypass CSP protection. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack t | ||
| CVE-2023-34250 | — | < 3.0.4 | 3.0.4 | Jun 13, 2023 | Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, an attacker could use the new topics dismissal endpoint to reveal the number of topics recently created (but not the a | ||
| CVE-2023-32301 | — | < 3.0.4 | 3.0.4 | Jun 13, 2023 | Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, multiple duplicate topics could be created if topic embedding is enabled. This issue is patched in version 3.0.4 of th | ||
| CVE-2023-32061 | — | < 3.0.4 | 3.0.4 | Jun 13, 2023 | Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, the lack of restrictions on the iFrame tag makes it easy for an attacker to exploit the vulnerability and hide subsequ | ||
| CVE-2023-31142 | — | < 3.0.4 | 3.0.4 | Jun 13, 2023 | Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, if a site has modified their general category permissions, they could be set back to the default. This issue is patche | ||
| CVE-2023-30606 | — | < 3.1.0 | 3.1.0 | Apr 18, 2023 | Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the `SiteSetting` class, notably `#clear_cache!` and `#notify_changed!`, which when done on a multisite instance, can affect the ent | ||
| CVE-2023-30538 | — | < 3.1.0 | 3.1.0 | Apr 18, 2023 | Discourse is an open source platform for community discussion. Due to the improper sanitization of SVG files, an attacker can execute arbitrary JavaScript on the users’ browsers by uploading a crafted SVG file. This issue is patched in the latest stable and tests-passed versions | ||
| CVE-2023-29196 | — | < 3.1.0 | 3.1.0 | Apr 18, 2023 | Discourse is an open source platform for community discussion. This vulnerability is not exploitable on the default install of Discourse. A custom feature must be enabled for it to work at all, and the attacker’s payload must pass the CSP to be executed. However, if an attacker s | ||
| CVE-2023-28440 | — | < 3.0.3 | 3.0.3 | Apr 18, 2023 | Discourse is an open source platform for community discussion. In affected versions a maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where ad | ||
| CVE-2023-28112 | — | < 3.1.0 | 3.1.0 | Mar 17, 2023 | Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, some user provided URLs were being passed to FastImage without SSRF protection. Insufficient protections could enable attackers to trigger outbound network con | ||
| CVE-2023-28111 | — | < 3.1.0 | 3.1.0 | Mar 17, 2023 | Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, attackers are able to bypass Discourse's server-side request forgery (SSRF) protection for private IPv4 addresses by using a IPv4-mapped IPv6 address. The issu |
- CVE-2023-38706Sep 15, 2023affected < 3.1.1fixed 3.1.1
Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user can create an unlimited number of drafts with very long draft keys which may end up exhausting the re
- CVE-2023-38685Jul 28, 2023affected < 3.0.6fixed 3.0.6
Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, information about restricted-visibility topic tags could be obtained by unauthorized users. The issue is patched in ve
- CVE-2023-38684Jul 28, 2023affected < 3.0.6fixed 3.0.6
Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, in multiple controller actions, Discourse accepts limit params but does not impose any upper bound on the values being
- CVE-2023-38498Jul 28, 2023affected < 3.0.6fixed 3.0.6
Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can prevent the defer queue from proceeding promptly on sites hosted in the same multisite installati
- CVE-2023-37906Jul 28, 2023affected < 3.0.6fixed 3.0.6
Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can edit a post in a topic and cause a DoS with a carefully crafted edit reason. The issue is patched
- CVE-2023-37904Jul 28, 2023affected < 3.0.6fixed 3.0.6
Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, more users than permitted could be created from invite links. The issue is patched in version 3.0.6 of the `stable` br
- CVE-2023-37467Jul 28, 2023affected >= 1.1.0-beta1, <= 1.1.0-beta1
Discourse is an open source discussion platform. Prior to version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a CSP (Content Security Policy) nonce reuse vulnerability was discovered could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous
- CVE-2023-36818Jul 14, 2023affected >= 3.1.0-beta5, <= 3.1.0-beta5
Discourse is an open source discussion platform. In affected versions a request to create or update custom sidebar section can cause a denial of service. This issue has been patched in commit `52b003d915`. Users are advised to upgrade. There are no known workarounds for this vuln
- CVE-2023-36466Jul 14, 2023affected < 3.0.5fixed 3.0.5
Discourse is an open source discussion platform. When editing a topic, there is a vulnerability that enables a user to bypass the topic title validations for things like title length, number of emojis in title and blank topic titles. The issue is patched in the latest stable, bet
- CVE-2023-36473Jul 13, 2023affected < 3.0.5fixed 3.0.5
Discourse is an open source discussion platform. A CSP (Content Security Policy) nonce reuse vulnerability could allow XSS attacks to bypass CSP protection. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack t
- CVE-2023-34250Jun 13, 2023affected < 3.0.4fixed 3.0.4
Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, an attacker could use the new topics dismissal endpoint to reveal the number of topics recently created (but not the a
- CVE-2023-32301Jun 13, 2023affected < 3.0.4fixed 3.0.4
Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, multiple duplicate topics could be created if topic embedding is enabled. This issue is patched in version 3.0.4 of th
- CVE-2023-32061Jun 13, 2023affected < 3.0.4fixed 3.0.4
Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, the lack of restrictions on the iFrame tag makes it easy for an attacker to exploit the vulnerability and hide subsequ
- CVE-2023-31142Jun 13, 2023affected < 3.0.4fixed 3.0.4
Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, if a site has modified their general category permissions, they could be set back to the default. This issue is patche
- CVE-2023-30606Apr 18, 2023affected < 3.1.0fixed 3.1.0
Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the `SiteSetting` class, notably `#clear_cache!` and `#notify_changed!`, which when done on a multisite instance, can affect the ent
- CVE-2023-30538Apr 18, 2023affected < 3.1.0fixed 3.1.0
Discourse is an open source platform for community discussion. Due to the improper sanitization of SVG files, an attacker can execute arbitrary JavaScript on the users’ browsers by uploading a crafted SVG file. This issue is patched in the latest stable and tests-passed versions
- CVE-2023-29196Apr 18, 2023affected < 3.1.0fixed 3.1.0
Discourse is an open source platform for community discussion. This vulnerability is not exploitable on the default install of Discourse. A custom feature must be enabled for it to work at all, and the attacker’s payload must pass the CSP to be executed. However, if an attacker s
- CVE-2023-28440Apr 18, 2023affected < 3.0.3fixed 3.0.3
Discourse is an open source platform for community discussion. In affected versions a maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where ad
- CVE-2023-28112Mar 17, 2023affected < 3.1.0fixed 3.1.0
Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, some user provided URLs were being passed to FastImage without SSRF protection. Insufficient protections could enable attackers to trigger outbound network con
- CVE-2023-28111Mar 17, 2023affected < 3.1.0fixed 3.1.0
Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, attackers are able to bypass Discourse's server-side request forgery (SSRF) protection for private IPv4 addresses by using a IPv4-mapped IPv6 address. The issu
Page 9 of 13