CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-28111 – Discourse vulnerable to SSRF protection bypass possible with IPv4-mapped IPv6 addresses
https://notcve.org/view.php?id=CVE-2023-28111
Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, attackers are able to bypass Discourse's server-side request forgery (SSRF) protection for private IPv4 addresses by using a IPv4-mapped IPv6 address. The issue is patched in the latest beta and tests-passed version of Discourse. version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds. • https://github.com/discourse/discourse/commit/fd16eade7fcc6bba4b71e71106a2eb13cdfdae4a https://github.com/discourse/discourse/pull/20710 https://github.com/discourse/discourse/security/advisories/GHSA-26h3-8ww8-v5fc • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 0CVE-2023-28107 – Discourse vulnerable to multisite DoS by spamming backups
https://notcve.org/view.php?id=CVE-2023-28107
Discourse is an open-source discussion platform. Prior to version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches, a user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a site using multisite, then it can affect the whole cluster. The vulnerability is patched in version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds. • https://github.com/discourse/discourse/commit/0bd64788d2b4680c04fbef76314a24884d65fed9 https://github.com/discourse/discourse/commit/78a3efa7104eed6dd3ed7a06a71e2705337d9e61 https://github.com/discourse/discourse/pull/20700 https://github.com/discourse/discourse/pull/20701 https://github.com/discourse/discourse/security/advisories/GHSA-cp7c-fm4c-6xxx • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-25172 – Discourse vulnerable to Cross-site Scripting - user name displayed on post
https://notcve.org/view.php?id=CVE-2023-25172
Discourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, a maliciously crafted URL can be included in a user's full name field to to carry out cross-site scripting attacks on sites with a disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. The vulnerability is patched in version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches. As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse. • https://github.com/discourse/discourse/commit/1a5a6f66cb821ed29a737311d6fdc2eba5adc915 https://github.com/discourse/discourse/commit/c186a46910431020e8efc425dec2133e7a99fa9a https://github.com/discourse/discourse/pull/20008 https://github.com/discourse/discourse/pull/20009 https://github.com/discourse/discourse/security/advisories/GHSA-7pm2-prxw-wrvp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 207EXPL: 0CVE-2023-23622 – Discourse: Presence of read restricted topics may be leaked if tagged with a tag that is visible to all users
https://notcve.org/view.php?id=CVE-2023-23622
Discourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, the count of topics displayed for a tag is a count of all regular topics regardless of whether the topic is in a read restricted category or not. As a result, any users can technically poll a sensitive tag to determine if a new topic is created in a category which the user does not have excess to. In version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, the count of topics displayed for a tag defaults to only counting regular topics which are not in read restricted categories. Staff users will continue to see a count of all topics regardless of the topic's category read restrictions. • https://github.com/discourse/discourse/commit/105fee978d73b0ec23ff814a09d1c0c9ace95164 https://github.com/discourse/discourse/commit/ecb9aa5dba94741d9579f4f873f0675f48b4184f https://github.com/discourse/discourse/pull/20004 https://github.com/discourse/discourse/pull/20005 https://github.com/discourse/discourse/security/advisories/GHSA-2wvr-4x7w-v795 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 208EXPL: 0CVE-2023-23935 – Presence of restricted personal Discourse messages may be leaked if tagged with a tag
https://notcve.org/view.php?id=CVE-2023-23935
Discourse is an open-source messaging platform. In versions 3.0.1 and prior on the `stable` branch and versions 3.1.0.beta2 and prior on the `beta` and `tests-passed` branches, the count of personal messages displayed for a tag is a count of all personal messages regardless of whether the personal message is visible to a given user. As a result, any users can technically poll a sensitive tag to determine if a new personal message is created even if the user does not have access to the personal message. In the patched versions, the count of personal messages tagged with a given tag is hidden by default. To revert to the old behaviour of displaying the count of personal messages for a given tag, an admin may enable the `display_personal_messages_tag_counts` site setting. • https://github.com/discourse/discourse/commit/f31f0b70f82c43d93220ce6fc0d4f57440452f37 https://github.com/discourse/discourse/security/advisories/GHSA-rf8j-mf8c-82v7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •