Discourse
Source repositories
CVEs (262)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-35234 | 0.00 | — | 0.00 | Jul 3, 2024 | Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta… | |||
| CVE-2024-35227 | 0.00 | — | 0.01 | Jul 3, 2024 | Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, Oneboxing against a carefully crafted malicious URL can reduce the availability of a Discourse instance. The problem has been… | |||
| CVE-2024-27085 | 0.00 | — | 0.01 | Mar 15, 2024 | Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are… | |||
| CVE-2024-27100 | 0.00 | — | 0.01 | Mar 15, 2024 | Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren't enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource… | |||
| CVE-2024-28242 | 0.00 | — | 0.00 | Mar 15, 2024 | Discourse is an open source platform for community discussion. In affected versions an attacker can learn that secret categories exist when they have backgrounds set. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to… | |||
| CVE-2024-24748 | 0.00 | — | 0.00 | Mar 15, 2024 | Discourse is an open source platform for community discussion. In affected versions an attacker can learn that a secret subcategory exists under a public category which has no public subcategories. The issue is patched in the latest stable, beta and tests-passed version of… | |||
| CVE-2024-24827 | 0.00 | — | 0.01 | Mar 15, 2024 | Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact… | |||
| CVE-2024-23834 | 0.00 | — | 0.00 | Jan 30, 2024 | Discourse is an open-source discussion platform. Improperly sanitized user input could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. The vulnerability is patched in… | |||
| CVE-2023-49099 | 0.00 | — | 0.00 | Jan 12, 2024 | Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4. | |||
| CVE-2024-21655 | 0.00 | — | 0.01 | Jan 12, 2024 | Discourse is a platform for community discussion. For fields that are client editable, limits on sizes are not imposed. This allows a malicious actor to cause a Discourse instance to use excessive disk space and also often excessive bandwidth. The issue is patched 3.1.4 and… | |||
| CVE-2023-48297 | 0.00 | — | 0.01 | Jan 12, 2024 | Discourse is a platform for community discussion. The message serializer uses the full list of expanded chat mentions (@all and @here) which can lead to a very long array of users. This issue was patched in versions 3.1.4 and beta 3.2.0.beta5. | |||
| CVE-2023-47121 | 0.00 | — | 0.01 | Nov 10, 2023 | Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, the embedding feature is susceptible to server side request forgery. The issue is patched in version… | |||
| CVE-2023-47120 | 0.00 | — | 0.01 | Nov 10, 2023 | Discourse is an open source platform for community discussion. In versions 3.1.0 through 3.1.2 of the `stable` branch and versions 3.1.0,beta6 through 3.2.0.beta2 of the `beta` and `tests-passed` branches, Redis memory can be depleted by crafting a site with an abnormally long… | |||
| CVE-2023-47119 | 0.00 | — | 0.01 | Nov 10, 2023 | Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched… | |||
| CVE-2023-46130 | 0.00 | — | 0.01 | Nov 10, 2023 | Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some theme components allow users to add svgs with unlimited `height` attributes, and this can affect… | |||
| CVE-2023-45816 | 0.00 | — | 0.00 | Nov 10, 2023 | Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, there is an edge case where a bookmark reminder is sent and an unread notification is generated, but… | |||
| CVE-2023-45806 | 0.00 | — | 0.01 | Nov 10, 2023 | Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, if a user has been quoted and uses a `|` in their full name, they might be able to trigger a bug that… | |||
| CVE-2023-44391 | 0.00 | — | 0.00 | Oct 16, 2023 | Discourse is an open source platform for community discussion. User summaries are accessible for anonymous users even when `hide_user_profiles_from_public` is enabled. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 version of Discourse. Users are advised to… | |||
| CVE-2023-44388 | 0.00 | — | 0.01 | Oct 16, 2023 | Discourse is an open source platform for community discussion. A malicious request can cause production log files to quickly fill up and thus result in the server running out of disk space. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse.… | |||
| CVE-2023-43814 | 0.00 | — | 0.00 | Oct 16, 2023 | Discourse is an open source platform for community discussion. Attackers with details specific to a poll in a topic can use the `/polls/grouped_poll_results` endpoint to view the content of options in the poll and the number of votes for groups of poll participants. This impacts… |
- CVE-2024-35234Jul 3, 2024risk 0.00cvss —epss 0.00
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta…
- CVE-2024-35227Jul 3, 2024risk 0.00cvss —epss 0.01
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, Oneboxing against a carefully crafted malicious URL can reduce the availability of a Discourse instance. The problem has been…
- CVE-2024-27085Mar 15, 2024risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are…
- CVE-2024-27100Mar 15, 2024risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren't enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource…
- CVE-2024-28242Mar 15, 2024risk 0.00cvss —epss 0.00
Discourse is an open source platform for community discussion. In affected versions an attacker can learn that secret categories exist when they have backgrounds set. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to…
- CVE-2024-24748Mar 15, 2024risk 0.00cvss —epss 0.00
Discourse is an open source platform for community discussion. In affected versions an attacker can learn that a secret subcategory exists under a public category which has no public subcategories. The issue is patched in the latest stable, beta and tests-passed version of…
- CVE-2024-24827Mar 15, 2024risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact…
- CVE-2024-23834Jan 30, 2024risk 0.00cvss —epss 0.00
Discourse is an open-source discussion platform. Improperly sanitized user input could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. The vulnerability is patched in…
- CVE-2023-49099Jan 12, 2024risk 0.00cvss —epss 0.00
Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4.
- CVE-2024-21655Jan 12, 2024risk 0.00cvss —epss 0.01
Discourse is a platform for community discussion. For fields that are client editable, limits on sizes are not imposed. This allows a malicious actor to cause a Discourse instance to use excessive disk space and also often excessive bandwidth. The issue is patched 3.1.4 and…
- CVE-2023-48297Jan 12, 2024risk 0.00cvss —epss 0.01
Discourse is a platform for community discussion. The message serializer uses the full list of expanded chat mentions (@all and @here) which can lead to a very long array of users. This issue was patched in versions 3.1.4 and beta 3.2.0.beta5.
- CVE-2023-47121Nov 10, 2023risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, the embedding feature is susceptible to server side request forgery. The issue is patched in version…
- CVE-2023-47120Nov 10, 2023risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. In versions 3.1.0 through 3.1.2 of the `stable` branch and versions 3.1.0,beta6 through 3.2.0.beta2 of the `beta` and `tests-passed` branches, Redis memory can be depleted by crafting a site with an abnormally long…
- CVE-2023-47119Nov 10, 2023risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched…
- CVE-2023-46130Nov 10, 2023risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some theme components allow users to add svgs with unlimited `height` attributes, and this can affect…
- CVE-2023-45816Nov 10, 2023risk 0.00cvss —epss 0.00
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, there is an edge case where a bookmark reminder is sent and an unread notification is generated, but…
- CVE-2023-45806Nov 10, 2023risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, if a user has been quoted and uses a `|` in their full name, they might be able to trigger a bug that…
- CVE-2023-44391Oct 16, 2023risk 0.00cvss —epss 0.00
Discourse is an open source platform for community discussion. User summaries are accessible for anonymous users even when `hide_user_profiles_from_public` is enabled. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 version of Discourse. Users are advised to…
- CVE-2023-44388Oct 16, 2023risk 0.00cvss —epss 0.01
Discourse is an open source platform for community discussion. A malicious request can cause production log files to quickly fill up and thus result in the server running out of disk space. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse.…
- CVE-2023-43814Oct 16, 2023risk 0.00cvss —epss 0.00
Discourse is an open source platform for community discussion. Attackers with details specific to a poll in a topic can use the `/polls/grouped_poll_results` endpoint to view the content of options in the poll and the number of votes for groups of poll participants. This impacts…
Page 8 of 14