CVE-2024-39320 – Discourse allows iframe injection though default site setting
https://notcve.org/view.php?id=CVE-2024-39320
Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5. • https://github.com/discourse/discourse/commit/188cb58daa833839c54c266ce22db150a3f3a210 https://github.com/discourse/discourse/commit/76f06f6b1491db6bd09a4017d2c5591431b3b16e https://github.com/discourse/discourse/security/advisories/GHSA-4p82-xh38-gq4p • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVE-2024-37299 – Discourse vulnerable to DoS via Tag Group
https://notcve.org/view.php?id=CVE-2024-37299
Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, crafting requests to submit very long tag group names can reduce the availability of a Discourse instance. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5. • https://github.com/discourse/discourse/commit/188cb58daa833839c54c266ce22db150a3f3a210 https://github.com/discourse/discourse/commit/76f06f6b1491db6bd09a4017d2c5591431b3b16e https://github.com/discourse/discourse/security/advisories/GHSA-4j6h-9pjp-5476 • CWE-400: Uncontrolled Resource Consumption •
CVE-2024-37165 – Discourse has an XSS via Onebox system
https://notcve.org/view.php?id=CVE-2024-37165
Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3. • https://github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4ea60fd https://github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374b6619d2 https://github.com/discourse/discourse/security/advisories/GHSA-cx83-5p6x-9qh9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-38360 – Denial of service via Watched Words in Discourse
https://notcve.org/view.php?id=CVE-2024-38360
Discourse is an open source platform for community discussion. In affected versions by creating replacement words with an almost unlimited number of characters, a moderator can reduce the availability of a Discourse instance. This issue has been addressed in stable version 3.2.3 and in current betas. Users are advised to upgrade. Users unable to upgrade may manually remove the long watched words either via SQL or Rails console. • https://github.com/discourse/discourse/commit/7b53e610c17e38be982dffefa4e5b5a709a3b990 https://github.com/discourse/discourse/security/advisories/GHSA-68pm-hm8x-pq2p • CWE-400: Uncontrolled Resource Consumption •
CVE-2024-37157 – Discourse vulnerable to Server-Side Request Forgery via FastImage
https://notcve.org/view.php?id=CVE-2024-37157
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, a malicious actor could get the FastImage library to redirect requests to an internal Discourse IP. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. No known workarounds are available. • https://github.com/discourse/discourse/commit/5b8cf11b69e05d5c058c1148ec69ec309491fa6e https://github.com/discourse/discourse/commit/67e78086035cec494b15ce79342a0cb9052c2d95 https://github.com/discourse/discourse/security/advisories/GHSA-46pq-7958-fc68 • CWE-918: Server-Side Request Forgery (SSRF) •