CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24972 – Discourse may bypass user preference when adding users to chat groups
https://notcve.org/view.php?id=CVE-2025-24972
26 Mar 2025 — Discourse is an open-source discussion platform. Prior to versions `3.3.4` on the `stable` branch and `3.4.0.beta5` on the `beta` branch, in specific circumstances, users could be added to group direct messages despite disabling direct messaging in their preferences. Versions `3.3.4` and `3.4.0.beta5` contain a patch for the issue. A workaround is available. If a user disables chat in their preferences then they cannot be added to new group chats. • https://github.com/discourse/discourse/security/advisories/GHSA-4p63-qw6g-4mv2 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24808 – Discourse has race condition when adding users to a group DM
https://notcve.org/view.php?id=CVE-2025-24808
26 Mar 2025 — Discourse is an open-source discussion platform. Prior to versions `3.3.4` on the `stable` branch and `3.4.0.beta5` on the `beta` branch, someone who is about to reach the limit of users in a group DM may send requests to add new users in parallel. The requests might all go through ignoring the limit due to a race condition. The patch in versions `3.3.4` and `3.4.0.beta5` uses the `lock` step in service to wrap part of the `add_users_to_channel` service inside a distributed lock/mutex in order to avoid the ... • https://github.com/discourse/discourse/commit/a16b2f224860f6678f89f5ffa012f0ede17e4095 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53266 – Cross-site Scripting (XSS) via topic titles when CSP disabled in Discourse
https://notcve.org/view.php?id=CVE-2024-53266
04 Feb 2025 — Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled. • https://github.com/discourse/discourse/security/advisories/GHSA-hw4j-4hg7-22h2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53851 – Partial denial of service via inline oneboxes in Discourse
https://notcve.org/view.php?id=CVE-2024-53851
04 Feb 2025 — Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This vulnerability is only exploitable by authenticated users. This issue has been patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. • https://github.com/discourse/discourse/commit/416ec83ae57924d721e6e374f4cda78bd77a4599 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53994 – Potential bypass of chat permissions in Discourse
https://notcve.org/view.php?id=CVE-2024-53994
04 Feb 2025 — Discourse is an open source platform for community discussion. In affected versions users who disable chat in preferences could still be reachable in some cases. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable the chat plugin within site settings. • https://github.com/discourse/discourse/security/advisories/GHSA-mrpw-gwj7-98r6 • CWE-281: Improper Preservation of Permissions •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55948 – Anonymous cache poisoning via XHR requests in Discourse
https://notcve.org/view.php?id=CVE-2024-55948
04 Feb 2025 — Discourse is an open source platform for community discussion. In affected versions an attacker can make craft an XHR request to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. • https://github.com/discourse/discourse/security/advisories/GHSA-2352-252q-qc82 • CWE-346: Origin Validation Error •
CVSS: 2.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56197 – Users can see other user's tagged PMs in Discourse
https://notcve.org/view.php?id=CVE-2024-56197
04 Feb 2025 — Discourse is an open source platform for community discussion. PM titles and metadata can be read by other users when the "PM tags allowed for groups" option is enabled, the other user is a member of a group added to this option, and the PM has been tagged. This issue has been patched in the latest `stable`, `beta` and `tests-passed` versions of Discourse. Users are advised to upgrade. Users unable to upgrade should remove all groups from the the "PM tags allowed for groups" option. • https://github.com/discourse/discourse/security/advisories/GHSA-xmgr-g9cp-v239 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56328 – HTMLi(XSS without CSP) via Onebox urls in Discourse
https://notcve.org/view.php?id=CVE-2024-56328
04 Feb 2025 — Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. • https://github.com/discourse/discourse/security/advisories/GHSA-j855-mhxj-x6vg • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22601 – Client Side Path Traversal using activate account route in Discourse
https://notcve.org/view.php?id=CVE-2025-22601
04 Feb 2025 — Discourse is an open source platform for community discussion. In affected versions an attacker can trick a target user to make changes to their own username via carefully crafted link using the `activate-account` route. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/discourse/discourse/security/advisories/GHSA-gvpp-v7mp-wxxw • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22602 – Stored DOM-based XSS (without CSP) via video placeholders in Discourse
https://notcve.org/view.php?id=CVE-2025-22602
04 Feb 2025 — Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. • https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-694p-c5m3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •