CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-49099 – Discourse secure uploads accessible to guests even when login is required
https://notcve.org/view.php?id=CVE-2023-49099
Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4. Discourse es una plataforma para la discusión comunitaria. En circunstancias muy específicas, los usuarios invitados pueden acceder a las URL de carga segura asociadas con las publicaciones incluso cuando se requiere iniciar sesión. • https://github.com/discourse/discourse/commit/1b288236387fc0a823e4f15f1aea8dde81b49d53 https://github.com/discourse/discourse/security/advisories/GHSA-j67x-x6mq-pwv4 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-21655 – Insufficient control of custom field value sizes
https://notcve.org/view.php?id=CVE-2024-21655
Discourse is a platform for community discussion. For fields that are client editable, limits on sizes are not imposed. This allows a malicious actor to cause a Discourse instance to use excessive disk space and also often excessive bandwidth. The issue is patched 3.1.4 and 3.2.0.beta4. Discourse es una plataforma para la discusión comunitaria. • https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2023-48297 – Discourse vulnerable to unlimited mentioned users in message serializer
https://notcve.org/view.php?id=CVE-2023-48297
Discourse is a platform for community discussion. The message serializer uses the full list of expanded chat mentions (@all and @here) which can lead to a very long array of users. This issue was patched in versions 3.1.4 and beta 3.2.0.beta5. Discourse es una plataforma para la discusión comunitaria. El serializador de mensajes utiliza la lista completa de menciones de chat ampliadas (@all y @here), lo que puede conducir a una gran variedad de usuarios. • https://github.com/discourse/discourse/security/advisories/GHSA-hf2v-r5xm-8p37 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-47121 – Discourse SSRF vulnerability in Embedding
https://notcve.org/view.php?id=CVE-2023-47121
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, the embedding feature is susceptible to server side request forgery. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. As a workaround, disable the Embedding feature. Discourse es una plataforma de código abierto para el debate comunitario. • https://github.com/discourse/discourse/commit/24cca10da731734af4e9748de99a508d586e59f1 https://github.com/discourse/discourse/commit/5f20748e402223b265e6fee381472c14e2604da6 https://github.com/discourse/discourse/security/advisories/GHSA-hp24-94qf-8cgc • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1CVE-2023-47119 – HTML injection in oneboxed links
https://notcve.org/view.php?id=CVE-2023-47119
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds. Discourse es una plataforma de código abierto para el debate comunitario. • https://github.com/BaadMaro/CVE-2023-47119 https://github.com/discourse/discourse/commit/628b293ff53fb617b3464dd27268aec84388cc09 https://github.com/discourse/discourse/commit/d78357917c6a917a8a27af68756228e89c69321c https://github.com/discourse/discourse/security/advisories/GHSA-j95w-5hvx-jp5w • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •