CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-37458
https://notcve.org/view.php?id=CVE-2022-37458
Discourse through 2.8.7 allows admins to send invitations to arbitrary email addresses at an unlimited rate. Discourse versiones hasta 2.8.7, permite a administradores enviar invitaciones a direcciones de correo electrónico arbitrarias a un ritmo ilimitado • https://github.com/discourse/discourse/security/advisories/GHSA-q2rg-m477-8wg7 https://github.com/discourse/discourse/tags https://www.enisa.europa.eu/topics/threat-risk-management/vulnerability-disclosure •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-31184 – Email activation route can be abused by spammers in Discourse
https://notcve.org/view.php?id=CVE-2022-31184
Discourse is the an open source discussion platform. In affected versions an email activation route can be abused to send mass spam emails. A fix has been included in the latest stable, beta and tests-passed versions of Discourse which rate limits emails. Users are advised to upgrade. Users unable to upgrade should manually rate limit email. • https://github.com/discourse/discourse/commit/af1cb735db7fb73217b85d22dbadd1bc824ac0b0 https://github.com/discourse/discourse/security/advisories/GHSA-m5w9-8gp8-2hrf • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31182 – Cache poisoning via maliciously-formed request in Discourse
https://notcve.org/view.php?id=CVE-2022-31182
Discourse is the an open source discussion platform. In affected versions a maliciously crafted request for static assets could cause error responses to be cached by Discourse's default NGINX proxy configuration. A corrected NGINX configuration is included in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/discourse/discourse/commit/7af25544c3940c4d046c51f4cfac9c72a06d4f50 https://github.com/discourse/discourse/security/advisories/GHSA-4ff8-3j78-w6pp • CWE-404: Improper Resource Shutdown or Release •
CVSS: 5.7EPSS: 0%CPEs: 6EXPL: 0CVE-2022-31096 – Invites restricted to an email or invite links restricted to an email domain may be bypassed by a under certain conditions in Discourse
https://notcve.org/view.php?id=CVE-2022-31096
Discourse is an open source discussion platform. Under certain conditions, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggravated when the invite has been configured to add the user that accepts the invite into restricted groups. Once a user has been incorrectly added to a restricted group, the user may then be able to view content which that are restricted to the respective group. Users are advised to upgrade to the current stable releases. • https://github.com/discourse/discourse/security/advisories/GHSA-rvp8-459h-282r • CWE-281: Improper Preservation of Permissions •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31095 – Exposure of Sensitive Information in discourse-chat
https://notcve.org/view.php?id=CVE-2022-31095
discourse-chat is a chat plugin for the Discourse application. Versions prior to 0.4 are vulnerable to an exposure of sensitive information, where an attacker who knows the message ID for a channel they do not have access to can view that message using the chat message lookup endpoint, primarily affecting direct message channels. There are no known workarounds for this issue, and users are advised to update the plugin. discourse-chat es un plugin de chat para la aplicación Discourse. Las versiones anteriores a 0.4 son vulnerables a una exposición de información confidencial, en la que un atacante que conoce el ID del mensaje de un canal al que no presenta acceso puede visualizar ese mensaje usando el endpoint de búsqueda de mensajes de chat, lo que afecta principalmente a los canales de mensajes directos. No se presentan mitigaciones conocidas para este problema, y es aconsejado a usuarios actualizar el plugin • https://github.com/discourse/discourse-chat/security/advisories/GHSA-r979-jhp2-3f6h • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •