Page 31 of 156 results (0.021 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Discourse is an open source discussion platform. In versions prior to 2.7.7 there are two bugs which led to the post creator of a whisper post being revealed to non-staff users. 1: Staff users that creates a whisper post in a personal message is revealed to non-staff participants of the personal message even though the whisper post cannot be seen by them. 2: When a whisper post is before the last post in a post stream, deleting the last post will result in the creator of the whisper post to be revealed to non-staff users as the last poster of the topic. Discourse es una plataforma de debate de código abierto. En las versiones anteriores a 2.7.7 se presentan dos bugs que conllevaron a que el creador de una publicación whisper fuera revelado a usuarios que no eran del personal. 1: Unos usuarios del personal que crean una publicación whisper en un mensaje personal son revelados a participantes del mensaje personal que no son del personal, aunque la publicación whisper no puede ser vista por ellos. 2: Cuando una publicación whisper es anterior al último mensaje en un flujo de mensajes, eliminando la última publicación resultará en que el creador del mensaje whisper sea revelado a usuarios no pertenecientes al personal como el último mensaje del tema • https://github.com/discourse/discourse/commit/680024f9071b7696e5a444a58791016c6dc1f1e5 https://github.com/discourse/discourse/commit/dbdf61196d9e964e8823793d2e7f856595fea4d9 https://github.com/discourse/discourse/security/advisories/GHSA-v6xg-q577-vc92 • CWE-668: Exposure of Resource to Wrong Sphere •

CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0

Discourse is an open-source discussion platform. In Discourse versions 2.7.5 and prior, parsing and rendering of YouTube Oneboxes can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy. The issue is patched in `stable` version 2.7.6, `beta` version 2.8.0.beta3, and `tests-passed` version 2.8.0.beta3. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks. • https://github.com/discourse/discourse/security/advisories/GHSA-9x4c-29xg-56hw • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 2

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. En Discourse versiones 2.7.0 hasta beta1, una omisión del límite de velocidad conlleva a una omisión del requisito de 2FA para determinadas formularios Discourse version 2.7.0 suffers from a 2FA bypass via a rate limiting bypass vulnerability. • https://github.com/Mesh3l911/CVE-2021-3138 http://packetstormsecurity.com/files/162256/Discourse-2.7.0-2FA-Bypass.html https://github.com/Mesh3l911/Disource https://github.com/discourse/discourse/releases • CWE-307: Improper Restriction of Excessive Authentication Attempts •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Discourse 2.3.2 sends the CSRF token in the query string. Discourse 2.3.2 envía el token CSRF en la cadena de consulta. • https://github.com/discourse/discourse/pull/8026 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via an email link. Discourse en versiones anteriores a la 2.3.0 y 2.4.x en versiones anteriores a la 2.4.0.beta3 carece de una pantalla de confirmación cuando se inicia sesión mediante un enlace de correo electrónico. • https://github.com/discourse/discourse/commit/52387be4a44cdeaca5421ee955ba1343e836bade https://github.com/discourse/discourse/commit/b8340c6c8e50a71ff1bca9654b9126ca5a84ce9a • CWE-287: Improper Authentication •