Discourse
Source repositories
CVEs (262)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-39355 | 0.00 | — | 0.01 | Oct 26, 2022 | Discourse Patreon enables syncronization between Discourse Groups and Patreon rewards. On sites with Patreon login enabled, an improper authentication vulnerability could be used to take control of a victim's forum account. This vulnerability is patched in commit number… | |||
| CVE-2022-39279 | 0.00 | — | 0.00 | Oct 6, 2022 | discourse-chat is a plugin for the Discourse message board which adds chat functionality. In versions prior to 0.9 some places render a chat channel's name and description in an unsafe way, allowing staff members to cause an cross site scripting (XSS) attack by inserting unsafe… | |||
| CVE-2022-39232 | 0.00 | — | 0.01 | Sep 29, 2022 | Discourse is an open source discussion platform. Starting with version 2.9.0.beta5 and prior to version 2.9.0.beta10, an incomplete quote can generate a JavaScript error which will crash the current page in the browser in some cases. Version 2.9.0.beta10 added a fix and tests to… | |||
| CVE-2022-39226 | 0.00 | — | 0.01 | Sep 29, 2022 | Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a malicious actor can add large payloads of text into the Location and Website fields of a user profile, which… | |||
| CVE-2022-36068 | 0.00 | — | 0.01 | Sep 29, 2022 | Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a moderator can create new and edit existing themes by using the API when they should not be able to do so. The… | |||
| CVE-2022-36066 | 0.00 | — | 0.02 | Sep 29, 2022 | Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and… | |||
| CVE-2022-36057 | 0.00 | — | 0.00 | Sep 6, 2022 | Discourse-Chat is an asynchronous messaging plugin for the Discourse open-source discussion platform. Users of Discourse Chat can be affected by admin users inserting HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. Version 0.9 contains a… | |||
| CVE-2022-37458 | 0.00 | — | 0.01 | Sep 2, 2022 | Discourse through 2.8.7 allows admins to send invitations to arbitrary email addresses at an unlimited rate. | |||
| CVE-2022-31184 | 0.00 | — | 0.01 | Aug 1, 2022 | Discourse is the an open source discussion platform. In affected versions an email activation route can be abused to send mass spam emails. A fix has been included in the latest stable, beta and tests-passed versions of Discourse which rate limits emails. Users are advised to… | |||
| CVE-2022-31182 | 0.00 | — | 0.01 | Aug 1, 2022 | Discourse is the an open source discussion platform. In affected versions a maliciously crafted request for static assets could cause error responses to be cached by Discourse's default NGINX proxy configuration. A corrected NGINX configuration is included in the latest stable,… | |||
| CVE-2022-31096 | 0.00 | — | 0.00 | Jun 27, 2022 | Discourse is an open source discussion platform. Under certain conditions, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggravated… | |||
| CVE-2022-31095 | 0.00 | — | 0.01 | Jun 21, 2022 | discourse-chat is a chat plugin for the Discourse application. Versions prior to 0.4 are vulnerable to an exposure of sensitive information, where an attacker who knows the message ID for a channel they do not have access to can view that message using the chat message lookup… | |||
| CVE-2022-31060 | 0.00 | — | 0.01 | Jun 14, 2022 | Discourse is an open-source discussion platform. Prior to version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches, banner topic data is exposed on login-required sites. This issue is patched in version 2.8.4 in the `stable` branch… | |||
| CVE-2022-31025 | 0.00 | — | 0.01 | Jun 3, 2022 | Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the `stable` branch and 2.9.0beta5 on the `beta` and `tests-passed` branches, inviting users on sites that use single sign-on could bypass the `must_approve_users` check and invites by staff… | |||
| CVE-2022-24866 | 0.00 | — | 0.01 | Apr 26, 2022 | Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to… | |||
| CVE-2022-24850 | 0.00 | — | 0.01 | Apr 14, 2022 | Discourse is an open source platform for community discussion. A category's group permissions settings can be viewed by anyone that has access to the category. As a result, a normal user is able to see whether a group has read/write permissions in the category even though the… | |||
| CVE-2022-24824 | 0.00 | — | 0.01 | Apr 14, 2022 | Discourse is an open source platform for community discussion. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown the crawler view of the site instead of the HTML page. This can lead to a partial… | |||
| CVE-2022-24804 | 0.00 | — | 0.01 | Apr 11, 2022 | Discourse is an open source platform for community discussion. In stable versions prior to 2.8.3 and beta versions prior 2.9.0.beta4 erroneously expose groups. When a group with restricted visibility has been used to set the permissions of a category, the name of the group is… | |||
| CVE-2022-24782 | 0.00 | — | 0.01 | Mar 24, 2022 | Discourse is an open source discussion platform. Versions 2.8.2 and prior in the `stable` branch, 2.9.0.beta3 and prior in the `beta` branch, and 2.9.0.beta3 and prior in the `tests-passed` branch are vulnerable to a data leak. Users can request an export of their own activity.… | |||
| CVE-2022-23641 | 0.00 | — | 0.01 | Feb 15, 2022 | Discourse is an open source discussion platform. In versions prior to 2.8.1 in the `stable` branch, 2.9.0.beta2 in the `beta` branch, and 2.9.0.beta2 in the `tests-passed` branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the… |
- CVE-2022-39355Oct 26, 2022risk 0.00cvss —epss 0.01
Discourse Patreon enables syncronization between Discourse Groups and Patreon rewards. On sites with Patreon login enabled, an improper authentication vulnerability could be used to take control of a victim's forum account. This vulnerability is patched in commit number…
- CVE-2022-39279Oct 6, 2022risk 0.00cvss —epss 0.00
discourse-chat is a plugin for the Discourse message board which adds chat functionality. In versions prior to 0.9 some places render a chat channel's name and description in an unsafe way, allowing staff members to cause an cross site scripting (XSS) attack by inserting unsafe…
- CVE-2022-39232Sep 29, 2022risk 0.00cvss —epss 0.01
Discourse is an open source discussion platform. Starting with version 2.9.0.beta5 and prior to version 2.9.0.beta10, an incomplete quote can generate a JavaScript error which will crash the current page in the browser in some cases. Version 2.9.0.beta10 added a fix and tests to…
- CVE-2022-39226Sep 29, 2022risk 0.00cvss —epss 0.01
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a malicious actor can add large payloads of text into the Location and Website fields of a user profile, which…
- CVE-2022-36068Sep 29, 2022risk 0.00cvss —epss 0.01
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a moderator can create new and edit existing themes by using the API when they should not be able to do so. The…
- CVE-2022-36066Sep 29, 2022risk 0.00cvss —epss 0.02
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and…
- CVE-2022-36057Sep 6, 2022risk 0.00cvss —epss 0.00
Discourse-Chat is an asynchronous messaging plugin for the Discourse open-source discussion platform. Users of Discourse Chat can be affected by admin users inserting HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. Version 0.9 contains a…
- CVE-2022-37458Sep 2, 2022risk 0.00cvss —epss 0.01
Discourse through 2.8.7 allows admins to send invitations to arbitrary email addresses at an unlimited rate.
- CVE-2022-31184Aug 1, 2022risk 0.00cvss —epss 0.01
Discourse is the an open source discussion platform. In affected versions an email activation route can be abused to send mass spam emails. A fix has been included in the latest stable, beta and tests-passed versions of Discourse which rate limits emails. Users are advised to…
- CVE-2022-31182Aug 1, 2022risk 0.00cvss —epss 0.01
Discourse is the an open source discussion platform. In affected versions a maliciously crafted request for static assets could cause error responses to be cached by Discourse's default NGINX proxy configuration. A corrected NGINX configuration is included in the latest stable,…
- CVE-2022-31096Jun 27, 2022risk 0.00cvss —epss 0.00
Discourse is an open source discussion platform. Under certain conditions, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggravated…
- CVE-2022-31095Jun 21, 2022risk 0.00cvss —epss 0.01
discourse-chat is a chat plugin for the Discourse application. Versions prior to 0.4 are vulnerable to an exposure of sensitive information, where an attacker who knows the message ID for a channel they do not have access to can view that message using the chat message lookup…
- CVE-2022-31060Jun 14, 2022risk 0.00cvss —epss 0.01
Discourse is an open-source discussion platform. Prior to version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches, banner topic data is exposed on login-required sites. This issue is patched in version 2.8.4 in the `stable` branch…
- CVE-2022-31025Jun 3, 2022risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the `stable` branch and 2.9.0beta5 on the `beta` and `tests-passed` branches, inviting users on sites that use single sign-on could bypass the `must_approve_users` check and invites by staff…
- CVE-2022-24866Apr 26, 2022risk 0.00cvss —epss 0.01
Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to…
- CVE-2022-24850Apr 14, 2022risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. A category's group permissions settings can be viewed by anyone that has access to the category. As a result, a normal user is able to see whether a group has read/write permissions in the category even though the…
- CVE-2022-24824Apr 14, 2022risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown the crawler view of the site instead of the HTML page. This can lead to a partial…
- CVE-2022-24804Apr 11, 2022risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. In stable versions prior to 2.8.3 and beta versions prior 2.9.0.beta4 erroneously expose groups. When a group with restricted visibility has been used to set the permissions of a category, the name of the group is…
- CVE-2022-24782Mar 24, 2022risk 0.00cvss —epss 0.01
Discourse is an open source discussion platform. Versions 2.8.2 and prior in the `stable` branch, 2.9.0.beta3 and prior in the `beta` branch, and 2.9.0.beta3 and prior in the `tests-passed` branch are vulnerable to a data leak. Users can request an export of their own activity.…
- CVE-2022-23641Feb 15, 2022risk 0.00cvss —epss 0.01
Discourse is an open source discussion platform. In versions prior to 2.8.1 in the `stable` branch, 2.9.0.beta2 in the `beta` branch, and 2.9.0.beta2 in the `tests-passed` branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the…
Page 12 of 14