CVE-2023-38684 – Discourse vulnerable to ossible DDoS due to unbounded limits in various controller actions
https://notcve.org/view.php?id=CVE-2023-38684
Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, in multiple controller actions, Discourse accepts limit params but does not impose any upper bound on the values being accepted. Without an upper bound, the software may allow arbitrary users to generate DB queries which may end up exhausting the resources on the server. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability. • https://github.com/discourse/discourse/commit/bfc3132bb22bd5b7e86f428746b89c4d3d7f5a70 https://github.com/discourse/discourse/security/advisories/GHSA-ff7g-xv79-hgmf • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-38498 – Discourse vulnerable to DoS via defer queue
https://notcve.org/view.php?id=CVE-2023-38498
Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can prevent the defer queue from proceeding promptly on sites hosted in the same multisite installation. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability. Users of multisite configurations should upgrade. • https://github.com/discourse/discourse/commit/26e267478d785e2f32ee7da4613e2cf4a65ff182 https://github.com/discourse/discourse/security/advisories/GHSA-wv29-rm3f-4g2j • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-37906 – Discourse vulnerable to DoS via post edit reason
https://notcve.org/view.php?id=CVE-2023-37906
Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can edit a post in a topic and cause a DoS with a carefully crafted edit reason. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability. • https://github.com/discourse/discourse/commit/dcc825bda505a344eda403a1b8733f30e784034a https://github.com/discourse/discourse/security/advisories/GHSA-pjv6-47x6-mx7c • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-37904 – Discourse Race Condition in Accept Invite
https://notcve.org/view.php?id=CVE-2023-37904
Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, more users than permitted could be created from invite links. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. As a workaround, use restrict to email address invites. • https://github.com/discourse/discourse/commit/62a609ea2d0645a27ee8adbb01ce10a5e03a600b https://github.com/discourse/discourse/security/advisories/GHSA-6wj5-4ph2-c7qg • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2023-37467 – Discourse CSP nonce reuse vulnerability for anonymous users
https://notcve.org/view.php?id=CVE-2023-37467
Discourse is an open source discussion platform. Prior to version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a CSP (Content Security Policy) nonce reuse vulnerability was discovered could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous (i.e. unauthenticated) users. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to bypass CSP and execute successfully. This vulnerability isn't applicable to logged-in users. Version 3.1.0.beta7 contains a patch. • https://github.com/discourse/discourse/commit/0976c8fad6970b6182e7837bf87de07709407f25 https://github.com/discourse/discourse/security/advisories/GHSA-gr5h-hm62-jr3j • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-323: Reusing a Nonce, Key Pair in Encryption •