Page 10 of 156 results (0.006 seconds)

CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0

Discourse-jira is a Discourse plugin allows Jira projects, issue types, fields and field options will be synced automatically. An administrator user can make an SSRF attack by setting the Jira URL to an arbitrary location and enabling the `discourse_jira_verbose_log` site setting. A moderator user could manipulate the request path to the Jira API, allowing them to perform arbitrary GET requests using the Jira API credentials, potentially with elevated permissions, used by the application. Discourse-jira es un complemento de Discourse que permite que los proyectos, tipos de problemas, campos y opciones de campos de Jira se sincronicen automáticamente. Un usuario administrador puede realizar un ataque SSRF configurando la URL de Jira en una ubicación arbitraria y habilitando la configuración del sitio `discourse_jira_verbose_log`. • https://github.com/discourse/discourse-jira/commit/8a2d3ad228883199fd5f081cc93d173c88e2e48f https://github.com/discourse/discourse-jira/pull/50 https://github.com/discourse/discourse-jira/security/advisories/GHSA-pmv5-h2x6-35fh • CWE-691: Insufficient Control Flow Management CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. • https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 214EXPL: 0

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious admin could create extremely large icons sprites, which would then be cached in each server process. This may cause server processes to be killed and lead to downtime. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. This is only a concern for multisite installations. • https://github.com/discourse/discourse/security/advisories/GHSA-28hh-h5xw-xgvx • CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 6.5EPSS: 0%CPEs: 214EXPL: 0

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, importing a remote theme loads their assets into memory without enforcing limits for file size or number of files. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds. Discourse es una plataforma de debate de código abierto. • https://github.com/discourse/discourse/security/advisories/GHSA-2fq5-x3mm-v254 • CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 6.5EPSS: 0%CPEs: 214EXPL: 0

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user could add a 2FA or security key with a carefully crafted name to their account and cause a denial of service for other users. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds. Discourse es una plataforma de debate de código abierto. • https://github.com/discourse/discourse/security/advisories/GHSA-2hg5-3xm3-9vvx • CWE-770: Allocation of Resources Without Limits or Throttling •