Page 10 of 125 results (0.008 seconds)

CVSS: 6.8EPSS: 0%CPEs: 210EXPL: 0

Discourse is an open source discussion platform. A CSP (Content Security Policy) nonce reuse vulnerability could allow XSS attacks to bypass CSP protection. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to completely bypass CSP. The vulnerability is patched in the latest tests-passed, beta and stable branches. • https://github.com/discourse/discourse/security/advisories/GHSA-9f52-624j-8ppq • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0

Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, an attacker could use the new topics dismissal endpoint to reveal the number of topics recently created (but not the actual content thereof) in categories they didn't have access to. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. There are no known workarounds. • https://github.com/discourse/discourse/security/advisories/GHSA-q8m5-wmjr-3ppg • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •

CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0

Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, multiple duplicate topics could be created if topic embedding is enabled. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. As a workaround, disable topic embedding if it has been enabled. • https://github.com/discourse/discourse/security/advisories/GHSA-p2jx-m2j5-hqh4 • CWE-116: Improper Encoding or Escaping of Output •

CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0

Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, the lack of restrictions on the iFrame tag makes it easy for an attacker to exploit the vulnerability and hide subsequent comments from other users. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. There are no known workarounds. • https://github.com/discourse/discourse/security/advisories/GHSA-prx4-49m8-874g • CWE-863: Incorrect Authorization •

CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0

Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, if a site has modified their general category permissions, they could be set back to the default. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. A workaround, only if you are modifying the general category permissions, is to use a new category for the same purpose. • https://github.com/discourse/discourse/security/advisories/GHSA-286w-97m2-78x2 • CWE-732: Incorrect Permission Assignment for Critical Resource •