CVE-2021-41095 – XSS via blocked watched word in error message
https://notcve.org/view.php?id=CVE-2021-41095
Discourse is an open source discussion platform. There is a cross-site scripting (XSS) vulnerability in versions 2.7.7 and earlier of the `stable` branch, versions 2.8.0.beta6 and earlier of the `beta` branch, and versions 2.8.0.beta6 and earlier of the `tests-passed` branch. Rendering of some error messages that contain user input can be susceptible to XSS attacks. This vulnerability only affects sites which have blocked watched words that contain HTML tags, modified or disabled Discourse's default Content Security Policy. This issue is patched in the latest `stable`, `beta` and `tests-passed` versions of Discourse. • https://github.com/discourse/discourse/pull/14434/commits/40b776b9d39c41d9273d01eecf8fe03aa39fcb59 https://github.com/discourse/discourse/security/advisories/GHSA-qvqx-2h7w-m479 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-41082 – Private message title and participating users leaked in discourse
https://notcve.org/view.php?id=CVE-2021-41082
Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were not able to view the posts in the leaked private message despite seeing it in their inbox. The problematic commit was reverted around 32 minutes after it was made. Users are encouraged to upgrade to the latest commit if they are running Discourse against the `tests-passed` branch. • https://github.com/discourse/discourse/commit/27bad28c530c89acab35a56b945b6a3924280f4b https://github.com/discourse/discourse/commit/ddb458343dc39a7a8c99467dcd809b444514fe2c https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVE-2021-39161 – Cross-site scripting via category name in Discourse
https://notcve.org/view.php?id=CVE-2021-39161
Discourse is an open source platform for community discussion. In affected versions category names can be used for Cross-site scripting(XSS) attacks. This is mitigated by Discourse's default Content Security Policy and this vulnerability only affects sites which have modified or disabled or changed Discourse's default Content Security Policy have allowed for moderators to modify categories. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks. • https://github.com/discourse/discourse/security/advisories/GHSA-xhmc-9jwm-wqph • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-37703 – Information exposure in Discourse
https://notcve.org/view.php?id=CVE-2021-37703
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta5, a user's read state for a topic such as the last read post number and the notification level is exposed. Discourse es una plataforma de código abierto para el debate comunitario. En Discourse versiones anteriores a 2.7.8 y 2.8.0.beta5, el estado de lectura de un usuario para un tema, como el número de la última publicación leída y el nivel de notificación, está expuesto. • https://github.com/discourse/discourse/commit/aed65ec16d38886d7be7209d8c02df4ffd4937a4 https://github.com/discourse/discourse/security/advisories/GHSA-gq2h-qhg2-phf9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-37693 – Re-use of email tokens in Discourse
https://notcve.org/view.php?id=CVE-2021-37693
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email address does not invalidate an unused token which can then be used in other contexts, including reseting a password. Discourse es una plataforma de código abierto para el debate comunitario. En Discourse versiones anteriores a 2.7.8 y 2.8.0.beta4, cuando se añaden direcciones de correo electrónico adicionales a una cuenta existente en un sitio de Discourse es generado un token de correo electrónico como parte del proceso de comprobación del correo electrónico. • https://github.com/discourse/discourse/commit/fb14e50741a4880cda22244eded8858e2f5336ef https://github.com/discourse/discourse/security/advisories/GHSA-9377-96f4-cww4 • CWE-613: Insufficient Session Expiration CWE-640: Weak Password Recovery Mechanism for Forgotten Password •