VYPR

Discourse

by Discourse (software)

Source repositories

CVEs (262)

  • CVE-2022-21677Jan 14, 2022
    risk 0.00cvss epss 0.01

    Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its visibility set to public and the group's members visibility set to public as…

  • CVE-2022-21684Jan 13, 2022
    risk 0.00cvss epss 0.01

    Discourse is an open source discussion platform. Versions prior to 2.7.13 in `stable`, 2.8.0.beta11 in `beta`, and 2.8.0.beta11 in `tests-passed` allow some users to log in to a community before they should be able to do so. A user invited via email to a forum with…

  • CVE-2022-21678Jan 13, 2022
    risk 0.00cvss epss 0.01

    Discourse is an open source discussion platform. Prior to version 2.8.0.beta11 in the `tests-passed` branch, version 2.8.0.beta11 in the `beta` branch, and version 2.7.13 in the `stable` branch, the bios of users who made their profiles private were still visible in the ``…

  • CVE-2022-21642Jan 5, 2022
    risk 0.00cvss epss 0.01

    Discourse is an open source platform for community discussion. In affected versions when composing a message from topic the composer user suggestions reveals whisper participants. The issue has been patched in stable version 2.7.13 and beta version 2.8.0.beta11. There is no…

  • CVE-2021-43850Jan 4, 2022
    risk 0.00cvss epss 0.01

    Discourse is an open source platform for community discussion. In affected versions admins users can trigger a Denial of Service attack via the `/message-bus/_diagnostics` path. The impact of this vulnerability is greater on multisite Discourse instances (where multiple forums…

  • CVE-2021-43793Dec 1, 2021
    risk 0.00cvss epss 0.01

    Discourse is an open source discussion platform. In affected versions a vulnerability in the Polls feature allowed users to vote multiple times in a single-option poll. The problem is patched in the latest tests-passed, beta and stable versions of Discourse

  • CVE-2021-43794Dec 1, 2021
    risk 0.00cvss epss 0.01

    Discourse is an open source discussion platform. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown a JSON blob instead of the HTML page. This can lead to a partial denial-of-service. This issue is…

  • CVE-2021-43792Dec 1, 2021
    risk 0.00cvss epss 0.01

    Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group (e.g. staff) to view certain tags. Users who were…

  • CVE-2021-41271Nov 15, 2021
    risk 0.00cvss epss 0.01

    Discourse is a platform for community discussion. In affected versions a maliciously crafted request could cause an error response to be cached by intermediate proxies. This could cause a loss of confidentiality for some content. This issue is patched in the latest stable, beta…

  • CVE-2021-41095Sep 27, 2021
    risk 0.00cvss epss 0.01

    Discourse is an open source discussion platform. There is a cross-site scripting (XSS) vulnerability in versions 2.7.7 and earlier of the `stable` branch, versions 2.8.0.beta6 and earlier of the `beta` branch, and versions 2.8.0.beta6 and earlier of the `tests-passed` branch.…

  • CVE-2020-24327Sep 23, 2021
    risk 0.00cvss epss 0.01

    Server Side Request Forgery (SSRF) vulnerability exists in Discourse 2.3.2 and 2.6 via the email function. When writing an email in an editor, you can upload pictures of remote websites.

  • CVE-2021-41082Sep 20, 2021
    risk 0.00cvss epss 0.02

    Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not…

  • CVE-2021-39161Aug 26, 2021
    risk 0.00cvss epss 0.00

    Discourse is an open source platform for community discussion. In affected versions category names can be used for Cross-site scripting(XSS) attacks. This is mitigated by Discourse's default Content Security Policy and this vulnerability only affects sites which have modified or…

  • CVE-2021-37703Aug 13, 2021
    risk 0.00cvss epss 0.01

    Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta5, a user's read state for a topic such as the last read post number and the notification level is exposed.

  • CVE-2021-37693Aug 13, 2021
    risk 0.00cvss epss 0.01

    Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting…

  • CVE-2021-37633Aug 9, 2021
    risk 0.00cvss epss 0.01

    Discourse is an open source discussion platform. In versions prior to 2.7.8 rendering of d-popover tooltips can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy. This issue is patched…

  • CVE-2021-32788Jul 27, 2021
    risk 0.00cvss epss 0.01

    Discourse is an open source discussion platform. In versions prior to 2.7.7 there are two bugs which led to the post creator of a whisper post being revealed to non-staff users. 1: Staff users that creates a whisper post in a personal message is revealed to non-staff…

  • CVE-2021-32764Jul 15, 2021
    risk 0.00cvss epss 0.01

    Discourse is an open-source discussion platform. In Discourse versions 2.7.5 and prior, parsing and rendering of YouTube Oneboxes can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy.…

  • CVE-2021-3138Jan 14, 2021
    risk 0.00cvss epss 0.03

    In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.

  • CVE-2019-15515Aug 26, 2019
    risk 0.00cvss epss 0.01

    Discourse 2.3.2 sends the CSRF token in the query string.

Page 13 of 14