CVSS: 6.8EPSS: 0%CPEs: 15EXPL: 0CVE-2022-23549 – Discourse vulnerable to bypass of post max_length using HTML comments
https://notcve.org/view.php?id=CVE-2022-23549
05 Jan 2023 — Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds. • https://github.com/discourse/discourse/commit/bf6b08670a927cc80bb090b7a2e710b4b554e6a8 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41082 – Private message title and participating users leaked in discourse
https://notcve.org/view.php?id=CVE-2021-41082
20 Sep 2021 — Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were not able to view the posts in the leaked private message despite seeing it in their inbox. The problematic commit was reverted around 32 minutes after it was made. Users are encouraged to upgrade to the latest com... • https://github.com/discourse/discourse/commit/27bad28c530c89acab35a56b945b6a3924280f4b • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •