CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-25819 – Discourse tags with no visibility are leaking into og:article:tag
https://notcve.org/view.php?id=CVE-2023-25819
Discourse is an open source platform for community discussion. Tags that are normally private are showing in metadata. This affects any site running the `tests-passed` or `beta` branches >= 3.1.0.beta2. The issue is patched in the latest `beta` and `tests-passed` version of Discourse. • https://github.com/discourse/discourse/commit/a9f2c6db64e7d78b8e0f55e7bd77c5fe3459b831 https://github.com/discourse/discourse/security/advisories/GHSA-xx2h-mwm7-hq6q • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-25167 – Regular expression denial of service via installing themes via git in discourse
https://notcve.org/view.php?id=CVE-2023-25167
Discourse is an open source discussion platform. In affected versions a malicious user can cause a regular expression denial of service using a carefully crafted git URL. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/discourse/discourse/commit/ec4c30270887366dc28788bc4ab8a22a098573cd https://github.com/discourse/discourse/security/advisories/GHSA-4w55-w26q-r35w • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 5.3EPSS: 0%CPEs: 208EXPL: 0CVE-2023-23615 – Malicious users in Discourse can create spam topics as any user due to improper access control
https://notcve.org/view.php?id=CVE-2023-23615
Discourse is an open source discussion platform. The embeddable comments can be exploited to create new topics as any user but without any clear title or content. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. As a workaround, disable embeddable comments by deleting all embeddable hosts. • https://github.com/discourse/discourse/security/advisories/GHSA-7mf3-5v84-wxq8 • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 208EXPL: 0CVE-2023-23624 – Discourse's exclude_tags param could leak which topics had a specific hidden tag
https://notcve.org/view.php?id=CVE-2023-23624
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches, someone can use the `exclude_tag param` to filter out topics and deduce which ones were using a specific hidden tag. This affects any Discourse site using hidden tags in public categories. This issue is patched in version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches. As a workaround, secure any categories that are using hidden tags, change any existing hidden tags to not include private data, or remove any hidden tags currently in use. • https://github.com/discourse/discourse/commit/f55e0fe7910149c431861c18ce407d1be0d6091a https://github.com/discourse/discourse/pull/20006 https://github.com/discourse/discourse/security/advisories/GHSA-qgj5-g5vf-fm7q • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.6EPSS: 0%CPEs: 208EXPL: 0CVE-2023-23621 – Discourse vulnerable to ReDoS in user agent parsing
https://notcve.org/view.php?id=CVE-2023-23621
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches, a malicious user can cause a regular expression denial of service using a carefully crafted user agent. This issue is patched in version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches. There are no known workarounds. Discourse es una plataforma de discusión de código abierto. • https://github.com/discourse/discourse/commit/6d92c3cbdac431db99a450f360a3048bb3aaf458 https://github.com/discourse/discourse/pull/20002 https://github.com/discourse/discourse/security/advisories/GHSA-mrfp-54hf-jrcv • CWE-1333: Inefficient Regular Expression Complexity •