CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-31060 – Banner topic data is exposed on login-required Discourse sites
https://notcve.org/view.php?id=CVE-2022-31060
Discourse is an open-source discussion platform. Prior to version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches, banner topic data is exposed on login-required sites. This issue is patched in version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches of Discourse. As a workaround, one may disable banners. Discourse es una plataforma de discusión de código abierto. • https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a https://github.com/discourse/discourse/pull/17071 https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31059 – Discourse Calendar Event names susceptible to Cross-site Scripting
https://notcve.org/view.php?id=CVE-2022-31059
Discourse Calendar is a calendar plugin for Discourse, an open-source messaging app. Prior to version 1.0.1, parsing and rendering of Event names can be susceptible to cross-site scripting (XSS) attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in version 1.0.1 of the Discourse Calendar plugin. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks. • https://github.com/discourse/discourse-calendar/commit/2719b9e81994e961bf8c4e12b4556dc9777dd62f https://github.com/discourse/discourse-calendar/pull/280 https://github.com/discourse/discourse-calendar/security/advisories/GHSA-c783-x9vm-xxp5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-31025 – Invite bypasses user approval in Discourse
https://notcve.org/view.php?id=CVE-2022-31025
Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the `stable` branch and 2.9.0beta5 on the `beta` and `tests-passed` branches, inviting users on sites that use single sign-on could bypass the `must_approve_users` check and invites by staff are always approved automatically. The issue is patched in Discourse version 2.8.4 on the `stable` branch and version `2.9.0.beta5` on the `beta` and `tests-passed` branches. As a workaround, disable invites or increase `min_trust_level_to_allow_invite` to reduce the attack surface to more trusted users. Discourse es una plataforma de código abierto para el debate comunitario. • https://github.com/discourse/discourse/commit/0fa0094531efc82d9371f90a02aa804b176d59cf https://github.com/discourse/discourse/commit/7c4e2d33fa4b922354c177ffc880a2f2701a91f9 https://github.com/discourse/discourse/pull/16974 https://github.com/discourse/discourse/pull/16984 https://github.com/discourse/discourse/security/advisories/GHSA-x7jh-mx5q-6f9q • CWE-285: Improper Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24866 – Exposure of Sensitive Information to an Unauthorized Actor in Discourse Assign
https://notcve.org/view.php?id=CVE-2022-24866
Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. • https://github.com/discourse/discourse-assign/pull/320 https://github.com/discourse/discourse-assign/security/advisories/GHSA-9xhf-wvjx-f5w9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2022-24850 – Category group permissions leaked in Discourse
https://notcve.org/view.php?id=CVE-2022-24850
Discourse is an open source platform for community discussion. A category's group permissions settings can be viewed by anyone that has access to the category. As a result, a normal user is able to see whether a group has read/write permissions in the category even though the information should only be available to the users that can manage a category. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no workarounds for this problem. • https://github.com/discourse/discourse/security/advisories/GHSA-34xr-ff4w-mcpf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •