CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0CVE-2022-41944 – Discourse users can see notifications for topics they no longer have access to
https://notcve.org/view.php?id=CVE-2022-41944
Discourse is an open-source discussion platform. In stable versions prior to 2.8.12 and beta or tests-passed versions prior to 2.9.0.beta.13, under certain conditions, a user can see notifications for topics they no longer have access to. If there is sensitive information in the topic title, it will therefore have been exposed. This issue is patched in stable version 2.8.12, beta version 2.9.0.beta13, and tests-passed version 2.9.0.beta13. There are no workarounds available. • https://github.com/discourse/discourse/commit/c6ee28ec756436cc9ce154dd2c8e4c441f92f693 https://github.com/discourse/discourse/security/advisories/GHSA-354r-jpj5-53c2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0CVE-2022-41921 – Discourse chat messages should have a maximum character limit
https://notcve.org/view.php?id=CVE-2022-41921
Discourse is an open-source discussion platform. Prior to version 2.9.0.beta13, users can post chat messages of an unlimited length, which can cause a denial of service for other users when posting huge amounts of text. Users should upgrade to version 2.9.0.beta13, where a limit has been introduced. No known workarounds are available. Discourse es una plataforma de discusión de código abierto. • https://github.com/discourse/discourse/commit/3de765c89524a526ce611e11468d758a471a933f https://github.com/discourse/discourse/security/advisories/GHSA-mfh7-6cv6-qccc • CWE-20: Improper Input Validation CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 0CVE-2022-39385 – Users erroneously and transparently added to private messages in Discourse
https://notcve.org/view.php?id=CVE-2022-39385
Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This issue has been resolved in commit `a414520742` and will be included in future releases. Users are advised to upgrade. • https://github.com/discourse/discourse/commit/a414520742da8dc9dc976d4fb7b72dbd445813bb https://github.com/discourse/discourse/security/advisories/GHSA-gh5r-j595-qx48 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41913 – Discourse-calendar exposes members of hidden groups
https://notcve.org/view.php?id=CVE-2022-41913
Discourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Members of private groups or public groups with private members can be listed by users, who can create and edit post events. This vulnerability only affects sites which have discourse post events enabled. This issue has been patched in commit `ca5ae3e7e` which will be included in future releases. Users unable to upgrade should disable the `discourse_post_event_enabled` setting to fully mitigate the issue. • https://github.com/discourse/discourse-calendar/commit/ca5ae3e7e0c2b32af5ca4ec69c95e95b2ecef2e9 https://github.com/discourse/discourse-calendar/security/advisories/GHSA-jh96-w279-g7r9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.9EPSS: 0%CPEs: 11EXPL: 0CVE-2022-39356 – Discourse user account takeover via email and invite link
https://notcve.org/view.php?id=CVE-2022-39356
Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses. Discourse es una plataforma para la discusión comunitaria. • https://github.com/discourse/discourse/pull/18817 https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 • CWE-285: Improper Authorization •