CVE-2023-46130 – Bypassing height value allowed in some theme components
https://notcve.org/view.php?id=CVE-2023-46130
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some theme components allow users to add svgs with unlimited `height` attributes, and this can affect the availability of subsequent replies in a topic. Most Discourse instances are unaffected, only instances with the svgbob or the mermaid theme component are within scope. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. As a workaround, disable or remove the relevant theme components. • https://github.com/discourse/discourse/commit/6183d9633de873ac2b1e9cdb6ac1c94b4ffae9cb https://github.com/discourse/discourse/commit/89a2e60706ce22e4afc463d03af2f34c53291800 https://github.com/discourse/discourse/security/advisories/GHSA-c876-638r-vfcg • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-45816 – Unread bookmark reminder notifications that the user cannot access can be seen
https://notcve.org/view.php?id=CVE-2023-45816
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, there is an edge case where a bookmark reminder is sent and an unread notification is generated, but the underlying bookmarkable (e.g. post, topic, chat message) security has changed, making it so the user can no longer access the underlying resource. As of version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, bookmark reminders are now no longer sent if the user does not have access to the underlying bookmarkable, and also the unread bookmark notifications are always filtered by access. There are no known workarounds. Discourse es una plataforma de código abierto para el debate comunitario. • https://github.com/discourse/discourse/commit/2c45b949ea0e9d6fa8e5af2dd07f6521ede08bf1 https://github.com/discourse/discourse/commit/3c5fb871c0f54af47679ae71ad449666b01d8216 https://github.com/discourse/discourse/security/advisories/GHSA-v9r6-92wp-f6cf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-45806 – Discourse vulnerable to DoS via Regexp Injection in Full Name
https://notcve.org/view.php?id=CVE-2023-45806
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, if a user has been quoted and uses a `|` in their full name, they might be able to trigger a bug that generates a lot of duplicate content in all the posts they've been quoted by updating their full name again. Version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches contain a patch for this issue. No known workaround exists, although one can stop the "bleeding" by ensuring users only use alphanumeric characters in their full name field. Discourse es una plataforma de código abierto para el debate comunitario. • https://github.com/discourse/discourse/commit/2ec25105179199cf80912bf011c18b8b870e1863 https://github.com/discourse/discourse/commit/7d484864fe91ff79c478f57e7ddb1235d701921e https://github.com/discourse/discourse/security/advisories/GHSA-hcgf-hg2g-mw78 • CWE-1333: Inefficient Regular Expression Complexity •
CVE-2023-43658 – Improper escaping of user input in discourse-calendar
https://notcve.org/view.php?id=CVE-2023-43658
dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting (XSS) within the 'email preview' UI when a site has CSP disabled. Having CSP disabled is a non-default configuration, so the vast majority of sites are unaffected. This problem is resolved in the latest version of the discourse-calendar plugin. Users are advised to upgrade. • https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://github.com/discourse/discourse-calendar/commit/9788310906febb36822d6823d14f1059c39644de https://github.com/discourse/discourse-calendar/security/advisories/GHSA-3fwj-f6ww-7hr6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-45131 – Unauthenticated access to new private chat messages in Discourse
https://notcve.org/view.php?id=CVE-2023-45131
Discourse is an open source platform for community discussion. New chat messages can be read by making an unauthenticated POST request to MessageBus. This issue is patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/discourse/discourse/security/advisories/GHSA-84gf-hhrc-9pw6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •