CVE-2022-46177 – Discourse password reset link can lead to in account takeover if user changes to a new email
https://notcve.org/view.php?id=CVE-2022-46177
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting `email_token_valid_hours` which is currently 48 hours. • https://github.com/discourse/discourse/commit/4bf306f0e3bf54a9ef9c5886bf1cfb85c20da570 https://github.com/discourse/discourse/commit/83944213b2b2454af80d0407f60d67641b1f0b38 https://github.com/discourse/discourse/security/advisories/GHSA-5www-jxvf-vrc3 • CWE-613: Insufficient Session Expiration •
CVE-2022-23546 – Discourse vulnerable to private topic leak via email#send_digest
https://notcve.org/view.php?id=CVE-2022-23546
In version 2.9.0.beta14 of Discourse, an open-source discussion platform, maliciously embedded urls can leak an admin's digest of recent topics, possibly exposing private information. A patch is available for version 2.9.0.beta15. There are no known workarounds for this issue. • https://github.com/discourse/discourse/commit/cf862e736565c6fa905c12b5dbe63d0bd056efb8 https://github.com/discourse/discourse/security/advisories/GHSA-q9jp-xv4g-328f • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-46168 – Group SMTP user emails are exposed in CC email header
https://notcve.org/view.php?id=CVE-2022-46168
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta15 on the `beta` and `tests-passed` branches, recipients of a group SMTP email could see the email addresses of all other users inside the group SMTP topic. Most of the time this is not an issue as they are likely already familiar with one another's email addresses. This issue is patched in versions 2.8.14 and 2.9.0.beta15. The fix is that someone sending emails out via group SMTP to non-staged users masks those emails with blind carbon copy (BCC). • https://github.com/discourse/discourse/pull/19724 https://github.com/discourse/discourse/security/advisories/GHSA-8p7g-3wm6-p3rm • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVE-2022-23548
https://notcve.org/view.php?id=CVE-2022-23548
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds. • https://github.com/discourse/discourse/pull/19737 https://github.com/discourse/discourse/security/advisories/GHSA-7rw2-f4x7-7pxf • CWE-1333: Inefficient Regular Expression Complexity •
CVE-2022-23549 – Discourse vulnerable to bypass of post max_length using HTML comments
https://notcve.org/view.php?id=CVE-2022-23549
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds. • https://github.com/discourse/discourse/commit/bf6b08670a927cc80bb090b7a2e710b4b554e6a8 https://github.com/discourse/discourse/security/advisories/GHSA-p47g-v5wr-p4xp • CWE-20: Improper Input Validation •