CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43657 – Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration
https://notcve.org/view.php?id=CVE-2023-43657
discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. • https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 214EXPL: 0CVE-2023-41043 – Discourse DoS via SvgSprite cache
https://notcve.org/view.php?id=CVE-2023-41043
Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious admin could create extremely large icons sprites, which would then be cached in each server process. This may cause server processes to be killed and lead to downtime. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. This is only a concern for multisite installations. • https://github.com/discourse/discourse/security/advisories/GHSA-28hh-h5xw-xgvx • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 0%CPEs: 214EXPL: 0CVE-2023-41042 – Discourse DoS via remote theme assets
https://notcve.org/view.php?id=CVE-2023-41042
Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, importing a remote theme loads their assets into memory without enforcing limits for file size or number of files. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds. Discourse es una plataforma de debate de código abierto. • https://github.com/discourse/discourse/security/advisories/GHSA-2fq5-x3mm-v254 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 0%CPEs: 214EXPL: 0CVE-2023-40588 – Discourse DoS via 2FA and Security Key Names
https://notcve.org/view.php?id=CVE-2023-40588
Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user could add a 2FA or security key with a carefully crafted name to their account and cause a denial of service for other users. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds. Discourse es una plataforma de debate de código abierto. • https://github.com/discourse/discourse/security/advisories/GHSA-2hg5-3xm3-9vvx • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 1CVE-2023-38706 – Discourse vulnerable to DoS via drafts
https://notcve.org/view.php?id=CVE-2023-38706
Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user can create an unlimited number of drafts with very long draft keys which may end up exhausting the resources on the server. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds. Discourse es una plataforma de debate de código abierto. • https://github.com/discourse/discourse/security/advisories/GHSA-7wpp-4pqg-gvp8 • CWE-770: Allocation of Resources Without Limits or Throttling •