CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-25172 – Discourse vulnerable to Cross-site Scripting - user name displayed on post
https://notcve.org/view.php?id=CVE-2023-25172
Discourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, a maliciously crafted URL can be included in a user's full name field to to carry out cross-site scripting attacks on sites with a disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. The vulnerability is patched in version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches. As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse. • https://github.com/discourse/discourse/commit/1a5a6f66cb821ed29a737311d6fdc2eba5adc915 https://github.com/discourse/discourse/commit/c186a46910431020e8efc425dec2133e7a99fa9a https://github.com/discourse/discourse/pull/20008 https://github.com/discourse/discourse/pull/20009 https://github.com/discourse/discourse/security/advisories/GHSA-7pm2-prxw-wrvp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26040 – Discourse chat messages susceptible to Cross-site Scripting through chat excerpts
https://notcve.org/view.php?id=CVE-2023-26040
Discourse is an open-source discussion platform. Between versions 3.1.0.beta2 and 3.1.0.beta3 of the `tests-passed` branch, editing or responding to a chat message containing malicious content could lead to a cross-site scripting attack. This issue is patched in version 3.1.0.beta3 of the `tests-passed` branch. There are no known workarounds. • https://github.com/discourse/discourse/commit/a373bf2a01488c206e7feb28a9d2361b22ce6e70 https://github.com/discourse/discourse/security/advisories/GHSA-ccfc-qpmp-gq87 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 207EXPL: 0CVE-2023-23622 – Discourse: Presence of read restricted topics may be leaked if tagged with a tag that is visible to all users
https://notcve.org/view.php?id=CVE-2023-23622
Discourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, the count of topics displayed for a tag is a count of all regular topics regardless of whether the topic is in a read restricted category or not. As a result, any users can technically poll a sensitive tag to determine if a new topic is created in a category which the user does not have excess to. In version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, the count of topics displayed for a tag defaults to only counting regular topics which are not in read restricted categories. Staff users will continue to see a count of all topics regardless of the topic's category read restrictions. • https://github.com/discourse/discourse/commit/105fee978d73b0ec23ff814a09d1c0c9ace95164 https://github.com/discourse/discourse/commit/ecb9aa5dba94741d9579f4f873f0675f48b4184f https://github.com/discourse/discourse/pull/20004 https://github.com/discourse/discourse/pull/20005 https://github.com/discourse/discourse/security/advisories/GHSA-2wvr-4x7w-v795 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 208EXPL: 0CVE-2023-23935 – Presence of restricted personal Discourse messages may be leaked if tagged with a tag
https://notcve.org/view.php?id=CVE-2023-23935
Discourse is an open-source messaging platform. In versions 3.0.1 and prior on the `stable` branch and versions 3.1.0.beta2 and prior on the `beta` and `tests-passed` branches, the count of personal messages displayed for a tag is a count of all personal messages regardless of whether the personal message is visible to a given user. As a result, any users can technically poll a sensitive tag to determine if a new personal message is created even if the user does not have access to the personal message. In the patched versions, the count of personal messages tagged with a given tag is hidden by default. To revert to the old behaviour of displaying the count of personal messages for a given tag, an admin may enable the `display_personal_messages_tag_counts` site setting. • https://github.com/discourse/discourse/commit/f31f0b70f82c43d93220ce6fc0d4f57440452f37 https://github.com/discourse/discourse/security/advisories/GHSA-rf8j-mf8c-82v7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25169 – Yearly Review Plugin leaking anonymised users data in discourse-yearly-review
https://notcve.org/view.php?id=CVE-2023-25169
discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit `b3ab33bbf7` which is included in the latest version of the Discourse Yearly Review plugin. Users are advised to upgrade. Users unable to upgrade may disable the `yearly_review_enabled` setting to fully mitigate the issue. • https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •