Page 7 of 124 results (0.023 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

Discourse is an open source platform for community discussion. A malicious request can cause production log files to quickly fill up and thus result in the server running out of disk space. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. It is possible to temporarily work around this problem by reducing the `client_max_body_size nginx directive`. `client_max_body_size` will limit the size of uploads that can be uploaded directly to the server. • http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size https://github.com/discourse/discourse/security/advisories/GHSA-89h3-g746-xmwq • CWE-400: Uncontrolled Resource Consumption •

CVSS: 3.7EPSS: 0%CPEs: 2EXPL: 0

Discourse is an open source platform for community discussion. Attackers with details specific to a poll in a topic can use the `/polls/grouped_poll_results` endpoint to view the content of options in the poll and the number of votes for groups of poll participants. This impacts private polls where the results were intended to only be viewable by authorized users. This issue is patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. There is no workaround for this issue apart from upgrading to the fixed version. • https://github.com/discourse/discourse/security/advisories/GHSA-3x57-846g-7qcw • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •

CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0

Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the 3.2.0.beta1 release. Users are advised to upgrade. • https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://github.com/discourse/discourse/security/advisories/GHSA-g4qg-5q2h-m8ph • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0

Discourse is an open source community platform. In affected versions any user can create a topic and add arbitrary custom fields to a topic. The severity of this vulnerability depends on what plugins are installed and how the plugins uses topic custom fields. For a default Discourse installation with the default plugins, this vulnerability has no impact. The problem has been patched in the latest version of Discourse. • https://github.com/discourse/discourse/security/advisories/GHSA-wm89-m359-f9qv • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.5EPSS: 0%CPEs: 214EXPL: 0

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious admin could create extremely large icons sprites, which would then be cached in each server process. This may cause server processes to be killed and lead to downtime. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. This is only a concern for multisite installations. • https://github.com/discourse/discourse/security/advisories/GHSA-28hh-h5xw-xgvx • CWE-770: Allocation of Resources Without Limits or Throttling •