CVE-2023-28440 – Denial of service via admin theme import route in Discourse
https://notcve.org/view.php?id=CVE-2023-28440
Discourse is an open source platform for community discussion. In affected versions a maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where admins are untrusted. This issue has been addressed in versions 3.0.3 and 3.1.0.beta4. Users are advised to upgrade. • https://github.com/discourse/discourse/security/advisories/GHSA-vm65-pv5h-6g3w • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-28112 – Discourse's SSRF protection missing for some FastImage requests
https://notcve.org/view.php?id=CVE-2023-28112
Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, some user provided URLs were being passed to FastImage without SSRF protection. Insufficient protections could enable attackers to trigger outbound network connections from the Discourse server to private IP addresses. This affects any site running the `tests-passed` or `beta` branches versions 3.1.0.beta2 and prior. This issue is patched in version 3.1.0.beta3 of the `beta` and `tests-passed` branches. • https://github.com/discourse/discourse/commit/39c2f63b35d90ebaf67b9604cf1d424e5984203c https://github.com/discourse/discourse/pull/20710 https://github.com/discourse/discourse/security/advisories/GHSA-9897-x229-55gh • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-28111 – Discourse vulnerable to SSRF protection bypass possible with IPv4-mapped IPv6 addresses
https://notcve.org/view.php?id=CVE-2023-28111
Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, attackers are able to bypass Discourse's server-side request forgery (SSRF) protection for private IPv4 addresses by using a IPv4-mapped IPv6 address. The issue is patched in the latest beta and tests-passed version of Discourse. version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds. • https://github.com/discourse/discourse/commit/fd16eade7fcc6bba4b71e71106a2eb13cdfdae4a https://github.com/discourse/discourse/pull/20710 https://github.com/discourse/discourse/security/advisories/GHSA-26h3-8ww8-v5fc • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-28107 – Discourse vulnerable to multisite DoS by spamming backups
https://notcve.org/view.php?id=CVE-2023-28107
Discourse is an open-source discussion platform. Prior to version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches, a user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a site using multisite, then it can affect the whole cluster. The vulnerability is patched in version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds. • https://github.com/discourse/discourse/commit/0bd64788d2b4680c04fbef76314a24884d65fed9 https://github.com/discourse/discourse/commit/78a3efa7104eed6dd3ed7a06a71e2705337d9e61 https://github.com/discourse/discourse/pull/20700 https://github.com/discourse/discourse/pull/20701 https://github.com/discourse/discourse/security/advisories/GHSA-cp7c-fm4c-6xxx • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-25172 – Discourse vulnerable to Cross-site Scripting - user name displayed on post
https://notcve.org/view.php?id=CVE-2023-25172
Discourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, a maliciously crafted URL can be included in a user's full name field to to carry out cross-site scripting attacks on sites with a disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. The vulnerability is patched in version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches. As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse. • https://github.com/discourse/discourse/commit/1a5a6f66cb821ed29a737311d6fdc2eba5adc915 https://github.com/discourse/discourse/commit/c186a46910431020e8efc425dec2133e7a99fa9a https://github.com/discourse/discourse/pull/20008 https://github.com/discourse/discourse/pull/20009 https://github.com/discourse/discourse/security/advisories/GHSA-7pm2-prxw-wrvp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •