CVSS: 6.5EPSS: 0%CPEs: 15EXPL: 0CVE-2022-23548
https://notcve.org/view.php?id=CVE-2022-23548
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds. • https://github.com/discourse/discourse/pull/19737 https://github.com/discourse/discourse/security/advisories/GHSA-7rw2-f4x7-7pxf • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 0CVE-2022-46159 – Any authenticated Discourse user can create an unlisted topic
https://notcve.org/view.php?id=CVE-2022-46159
Discourse is an open-source discussion platform. In version 2.8.13 and prior on the `stable` branch and version 2.9.0.beta14 and prior on the `beta` and `tests-passed` branches, any authenticated user can create an unlisted topic. These topics, which are not readily available to other users, can take up unnecessary site resources. A patch for this issue is available in the `main` branch of Discourse. There are no known workarounds available. • https://github.com/discourse/discourse/commit/0ce38bd7bce862db251b882613ab7053ca777382 https://github.com/discourse/discourse/security/advisories/GHSA-qf99-xpx6-hgxp • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.1EPSS: 0%CPEs: 11EXPL: 0CVE-2022-46148 – Discourse allows self-XSS through malicious composer message
https://notcve.org/view.php?id=CVE-2022-46148
Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the `stable` branch and versions 2.9.0.beta11 and prior on the `beta` and `tests-passed` branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Discourse es una plataforma de mensajería de código abierto. • https://github.com/discourse/discourse/security/advisories/GHSA-c5h6-6gg5-84fh • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0CVE-2022-46150 – Discourse may allow exposure of hidden tags in the subject of notification emails
https://notcve.org/view.php?id=CVE-2022-46150
Discourse is an open-source discussion platform. Prior to version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches, unauthorized users may learn of the existence of hidden tags and that they have been applied to topics that they have access to. This issue is patched in version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches. As a workaround, use the `disable_email` site setting to disable all emails to non-staff users. Discourse es una plataforma de debate de código abierto. • https://github.com/discourse/discourse/commit/84c83e8d4a1907f8a2972f0ab44b6402aa910c3b https://github.com/discourse/discourse/security/advisories/GHSA-rqvq-94h8-p5wv • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0CVE-2022-41944 – Discourse users can see notifications for topics they no longer have access to
https://notcve.org/view.php?id=CVE-2022-41944
Discourse is an open-source discussion platform. In stable versions prior to 2.8.12 and beta or tests-passed versions prior to 2.9.0.beta.13, under certain conditions, a user can see notifications for topics they no longer have access to. If there is sensitive information in the topic title, it will therefore have been exposed. This issue is patched in stable version 2.8.12, beta version 2.9.0.beta13, and tests-passed version 2.9.0.beta13. There are no workarounds available. • https://github.com/discourse/discourse/commit/c6ee28ec756436cc9ce154dd2c8e4c441f92f693 https://github.com/discourse/discourse/security/advisories/GHSA-354r-jpj5-53c2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •