CVE-2022-24782 – Secure category names leaked via user activity export in Discourse
https://notcve.org/view.php?id=CVE-2022-24782
Discourse is an open source discussion platform. Versions 2.8.2 and prior in the `stable` branch, 2.9.0.beta3 and prior in the `beta` branch, and 2.9.0.beta3 and prior in the `tests-passed` branch are vulnerable to a data leak. Users can request an export of their own activity. Sometimes, due to category settings, they may have category membership for a secure category. The name of this secure category is shown to the user in the export. • https://github.com/discourse/discourse/commit/9d5737fd28374cc876c070f6c3a931a8071ec356 https://github.com/discourse/discourse/pull/16273 https://github.com/discourse/discourse/security/advisories/GHSA-c3cq-w899-f343 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-23641 – Denial of Service in Discourse
https://notcve.org/view.php?id=CVE-2022-23641
Discourse is an open source discussion platform. In versions prior to 2.8.1 in the `stable` branch, 2.9.0.beta2 in the `beta` branch, and 2.9.0.beta2 in the `tests-passed` branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job trigger an infinite loop, which cause memory leaks. This issue is patched in version 2.8.1 of the `stable` branch, 2.9.0.beta2 of the `beta` branch, and 2.9.0.beta2 of the `tests-passed` branch. As a workaround, disable onebox in admin panel completely or specify allow list of domains that will be oneboxed. • https://github.com/discourse/discourse/commit/a34075d205a8857e29574ffd82aaece0c467565e https://github.com/discourse/discourse/pull/15927 https://github.com/discourse/discourse/security/advisories/GHSA-22xw-f62v-cfxv • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2022-21677 – Group advanced search option may leak group and group's members visibility
https://notcve.org/view.php?id=CVE-2022-21677
Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its visibility set to public and the group's members visibility set to public as well. However, a group's visibility and the group's members visibility can be configured such that it is restricted to logged on users, members of the group or staff users. A vulnerability has been discovered in versions prior to 2.7.13 and 2.8.0.beta11 where the group advanced search option does not respect the group's visibility and members visibility level. • https://github.com/discourse/discourse/commit/fff8b98485561b12d070c0a8c39f4e503813ab44 https://github.com/discourse/discourse/security/advisories/GHSA-768r-ppv4-5r27 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-21684 – User can bypass approval when invited to Discourse
https://notcve.org/view.php?id=CVE-2022-21684
Discourse is an open source discussion platform. Versions prior to 2.7.13 in `stable`, 2.8.0.beta11 in `beta`, and 2.8.0.beta11 in `tests-passed` allow some users to log in to a community before they should be able to do so. A user invited via email to a forum with `must_approve_users` enabled is going to be automatically logged in, bypassing the check that does not allow unapproved users to sign in. They will be able to do everything an approved user can do. If they logout, they cannot log back in. • https://github.com/discourse/discourse/commit/584c6a2e8bc705072b09a9c4b55126d6f8ed4ad2 https://github.com/discourse/discourse/security/advisories/GHSA-p63q-jp48-h8xh https://meta.discourse.org/t/invite-redemption-allowed-user-to-access-forum-before-approval/214328 • CWE-287: Improper Authentication •
CVE-2022-21678 – User's bio visible even if profile is restricted in Discourse
https://notcve.org/view.php?id=CVE-2022-21678
Discourse is an open source discussion platform. Prior to version 2.8.0.beta11 in the `tests-passed` branch, version 2.8.0.beta11 in the `beta` branch, and version 2.7.13 in the `stable` branch, the bios of users who made their profiles private were still visible in the `<meta>` tags on their users' pages. The problem is patched in `tests-passed` version 2.8.0.beta11, `beta` version 2.8.0.beta11, and `stable` version 2.7.13 of Discourse. Discourse es una plataforma de debate de código abierto. En versiones anteriores a 2.8.0.beta11 en la rama "tests-passed", la versión 2.8.0.beta11 en la rama "beta", y la versión 2.7.13 en la rama "stable", las biografías de los usuarios que hacían sus perfiles privados seguían siendo visibles en las etiquetas "(meta)" de sus páginas de usuario. • https://github.com/discourse/discourse/commit/5e2e178fcfb490c37b9f8bb9f737185441b1d6de https://github.com/discourse/discourse/commit/c0bb775f3f35b1b0d04a5b2a984f57c3e39f9e6c https://github.com/discourse/discourse/security/advisories/GHSA-jwww-46gv-564m • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •