Page 18 of 128 results (0.010 seconds)

CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0

Discourse is an open-source discussion platform. Prior to version 2.9.0.beta13, users can post chat messages of an unlimited length, which can cause a denial of service for other users when posting huge amounts of text. Users should upgrade to version 2.9.0.beta13, where a limit has been introduced. No known workarounds are available. Discourse es una plataforma de discusión de código abierto. • https://github.com/discourse/discourse/commit/3de765c89524a526ce611e11468d758a471a933f https://github.com/discourse/discourse/security/advisories/GHSA-mfh7-6cv6-qccc • CWE-20: Improper Input Validation CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 0

Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This issue has been resolved in commit `a414520742` and will be included in future releases. Users are advised to upgrade. • https://github.com/discourse/discourse/commit/a414520742da8dc9dc976d4fb7b72dbd445813bb https://github.com/discourse/discourse/security/advisories/GHSA-gh5r-j595-qx48 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •

CVSS: 8.9EPSS: 0%CPEs: 11EXPL: 0

Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses. Discourse es una plataforma para la discusión comunitaria. • https://github.com/discourse/discourse/pull/18817 https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 • CWE-285: Improper Authorization •

CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0

Discourse is a platform for community discussion. Under certain conditions, a user badge may have been awarded based on a user's activity in a topic with restricted access. Before this vulnerability was disclosed, the topic title of the topic associated with the user badge may be viewed by any user. If there are sensitive information in the topic title, it will therefore have been exposed. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. • https://github.com/discourse/discourse/security/advisories/GHSA-2gvq-27h6-4h5f • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.6EPSS: 0%CPEs: 11EXPL: 0

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest `stable`, `beta`, and `test-passed` versions are now patched. As a workaround, self-hosters can use `DISCOURSE_BLOCKED_IP_BLOCKS` env var (which overrides `blocked_ip_blocks` setting) to stop webhooks from accessing private IPs. Discourse es una plataforma para la discusión comunitaria. • https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr • CWE-918: Server-Side Request Forgery (SSRF) •