Page 21 of 132 results (0.030 seconds)

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

Discourse is the an open source discussion platform. In affected versions a maliciously crafted request for static assets could cause error responses to be cached by Discourse's default NGINX proxy configuration. A corrected NGINX configuration is included in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/discourse/discourse/commit/7af25544c3940c4d046c51f4cfac9c72a06d4f50 https://github.com/discourse/discourse/security/advisories/GHSA-4ff8-3j78-w6pp • CWE-404: Improper Resource Shutdown or Release •

CVSS: 5.7EPSS: 0%CPEs: 6EXPL: 0

Discourse is an open source discussion platform. Under certain conditions, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggravated when the invite has been configured to add the user that accepts the invite into restricted groups. Once a user has been incorrectly added to a restricted group, the user may then be able to view content which that are restricted to the respective group. Users are advised to upgrade to the current stable releases. • https://github.com/discourse/discourse/security/advisories/GHSA-rvp8-459h-282r • CWE-281: Improper Preservation of Permissions •

CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0

Discourse is an open-source discussion platform. Prior to version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches, banner topic data is exposed on login-required sites. This issue is patched in version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches of Discourse. As a workaround, one may disable banners. Discourse es una plataforma de discusión de código abierto. • https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a https://github.com/discourse/discourse/pull/17071 https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0

Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the `stable` branch and 2.9.0beta5 on the `beta` and `tests-passed` branches, inviting users on sites that use single sign-on could bypass the `must_approve_users` check and invites by staff are always approved automatically. The issue is patched in Discourse version 2.8.4 on the `stable` branch and version `2.9.0.beta5` on the `beta` and `tests-passed` branches. As a workaround, disable invites or increase `min_trust_level_to_allow_invite` to reduce the attack surface to more trusted users. Discourse es una plataforma de código abierto para el debate comunitario. • https://github.com/discourse/discourse/commit/0fa0094531efc82d9371f90a02aa804b176d59cf https://github.com/discourse/discourse/commit/7c4e2d33fa4b922354c177ffc880a2f2701a91f9 https://github.com/discourse/discourse/pull/16974 https://github.com/discourse/discourse/pull/16984 https://github.com/discourse/discourse/security/advisories/GHSA-x7jh-mx5q-6f9q • CWE-285: Improper Authorization •

CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0

Discourse is an open source platform for community discussion. A category's group permissions settings can be viewed by anyone that has access to the category. As a result, a normal user is able to see whether a group has read/write permissions in the category even though the information should only be available to the users that can manage a category. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no workarounds for this problem. • https://github.com/discourse/discourse/security/advisories/GHSA-34xr-ff4w-mcpf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •