CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35227 – Discourse vulnerable to DoS through Onebox
https://notcve.org/view.php?id=CVE-2024-35227
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, Oneboxing against a carefully crafted malicious URL can reduce the availability of a Discourse instance. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. There are no known workarounds available for this vulnerability. • https://github.com/discourse/discourse/commit/10afe5fcf1ebf2e49cb80716d5e62e184c53519b https://github.com/discourse/discourse/commit/6ce5673d2c1a511b602e1b2ade6cdc898d14ab36 https://github.com/discourse/discourse/security/advisories/GHSA-664f-xwjw-752c • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35168 – WordPress WP Discourse plugin <= 2.5.1 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-35168
Missing Authorization vulnerability in Discourse WP Discourse.This issue affects WP Discourse: from n/a through 2.5.1. Vulnerabilidad de falta de autorización en Discourse WP Discourse. Este problema afecta a WP Discourse: desde n/a hasta 2.5.1. The WP Discourse plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action. • https://patchstack.com/database/vulnerability/wp-discourse/wordpress-wp-discourse-plugin-2-5-1-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31219 – Discourse-reactions' reaction data and public topic whisper content exposed on reactions given user activity page
https://notcve.org/view.php?id=CVE-2024-31219
Discourse-reactions is a plugin that allows user to add their reactions to the post. When whispers are enabled on a site via `whispers_allowed_groups` and reactions are made on whispers on public topics, the contents of the whisper and the reaction data are shown on the `/u/:username/activity/reactions` endpoint. Discourse-reactions es un complemento que permite al usuario agregar sus reacciones a la publicación. Cuando los whispers están habilitados en un sitio a través de `whispers_allowed_groups` y se realizan reacciones a whispers sobre temas públicos, el contenido del whisper y los datos de reacción se muestran en el endpoint `/u/:username/activity/reactions`. • https://github.com/discourse/discourse-reactions/commit/6a5a8dacd7e5cbbbbe7d2288b1df9c1062994dbe https://github.com/discourse/discourse-reactions/security/advisories/GHSA-7cqc-5xrw-xh67 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27085 – Denial of service through invites in Discourse
https://notcve.org/view.php?id=CVE-2024-27085
Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable invites or restrict access to them using the `invite allowed groups` site setting. • https://github.com/discourse/discourse/commit/62ea382247c1f87361d186392c45ca74c83be295 https://github.com/discourse/discourse/security/advisories/GHSA-cvp5-h7p8-mjj6 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27100 – Denial of service via Staff Actions in Discourse
https://notcve.org/view.php?id=CVE-2024-27100
Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren't enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. • https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47 https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc • CWE-400: Uncontrolled Resource Consumption •