cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-54142,https://securityvulnerability.io/vulnerability/CVE-2024-54142,HTML Entity Exposure in Discourse AI Plugin by Discourse,"The Discourse AI plugin introduces a vulnerability that could potentially expose HTML entities present in conversations when shared in posts. If a user visits a post featuring a onebox linked to a conversation, these HTML entities may inadvertently leak into the Discourse application. The issue has been mitigated in a recent commit, and users are strongly encouraged to update their installations. For those unable to update, it is recommended to modify the 'ai bot public sharing allowed groups' site setting to prevent such leakage.",Discourse,Discourse-ai,9.1,CRITICAL,0.01,false,false,false,false,false,false,false,2025-01-14T23:15:00.000Z,0
CVE-2024-49765,https://securityvulnerability.io/vulnerability/CVE-2024-49765,Local Login Bypass Vulnerability in Discourse Community Platform,"CVE-2024-49765 is a significant local login bypass vulnerability affecting the Discourse community platform. This flaw allows attackers to exploit systems that have the Discourse Connect feature enabled while still allowing local logins. Consequently, attackers can create accounts and log in without proper authorization. To mitigate this risk, users are strongly advised to upgrade to the latest version of Discourse, which includes a patch for this vulnerability. For users unable to upgrade immediately, a temporary workaround is to disable all local login methods to secure their platforms.",Discourse,,,,0.0004299999854993075,false,false,false,false,,false,false,2024-12-19T20:15:00.000Z,0
CVE-2024-52794,https://securityvulnerability.io/vulnerability/CVE-2024-52794,Severe Vulnerability in Discourse Community Platform Affecting Thumbnail Features,"CVE-2024-52794 represents a significant security vulnerability in the Discourse community platform that affects users interacting with lightbox thumbnails. This flaw can potentially allow unauthorized access or manipulation of content when users click on these thumbnails, which can lead to further exploitation. As there are currently no workarounds available, it is crucial for users to immediately upgrade to the latest version of Discourse, where the issue has been successfully patched. Prompt action is essential to maintain the integrity and security of community discussions hosted on the platform.",Discourse,,,,0.0004299999854993075,false,false,false,false,,false,false,2024-12-19T20:15:00.000Z,0
CVE-2024-53991,https://securityvulnerability.io/vulnerability/CVE-2024-53991,Local File Exposure Vulnerability in Discourse Community Platform,"CVE-2024-53991 is a critical local file exposure vulnerability that affects instances of the Discourse community discussion platform, specifically those configured to use `FileStore::LocalStore` for local uploads and backups. This vulnerability allows an attacker who knows the name of a Discourse backup file to craft a malicious request, effectively tricking the web server (nginx) into serving the sensitive backup files directly. To mitigate this risk, it is vital for users to upgrade to the latest stable, beta, or tests-passed Discourse versions. For users unable to perform the upgrade immediately, it is recommended to either back up local files to an external storage device, disable backup functionality, or change backup storage settings to Amazon S3 to enhance security.",Discourse,,,,0.0004299999854993075,false,false,false,false,,false,false,2024-12-19T20:15:00.000Z,0
CVE-2024-52589,https://securityvulnerability.io/vulnerability/CVE-2024-52589,Email Exposure Vulnerability in Discourse Community Platform,"CVE-2024-52589 identifies a vulnerability within the Discourse community platform that exposes user email addresses. Moderators with access to the admin dashboard can view screened email lists, potentially compromising user privacy. This vulnerability is crucial for site administrators to address to safeguard user information. The issue has been resolved in the latest patched version of Discourse. Admins concerned about security should ensure their systems are updated or restrict moderator access to prevent unauthorized exposure of user data.",Discourse,,,,0.0004299999854993075,false,false,false,false,,false,false,2024-12-19T20:15:00.000Z,0
CVE-2024-47773,https://securityvulnerability.io/vulnerability/CVE-2024-47773,Anonymous Cache Poisoning Vulnerability in Discourse Affects Only Anonymous Visitors,"A vulnerability exists in the Discourse platform, an open-source solution for community discussions, allowing attackers to exploit a cache poisoning issue. This vulnerability primarily affects anonymous visitors who may encounter manipulated responses due to repeatedly made XHR requests. Once attacked, the cache can deliver unauthorized content, compromising the integrity of user interactions. The issue has been addressed in the latest version of Discourse, and users are strongly encouraged to upgrade. Those who cannot upgrade should disable the anonymous cache by configuring the `DISCOURSE_DISABLE_ANON_CACHE` environment variable accordingly.",Discourse,Discourse,8.2,HIGH,0.0004299999854993075,false,false,false,false,,false,false,2024-10-08T18:01:14.063Z,0
CVE-2024-47772,https://securityvulnerability.io/vulnerability/CVE-2024-47772,Cross-site Scripting (XSS) via chat excerpts when content security policy (CSP) disabled in Discourse,Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of Discourse. All users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum. Users who do upgrade should also consider enabling a CSP as well as a proactive measure.,Discourse,Discourse,6.1,MEDIUM,0.0004600000102072954,false,false,false,false,,false,false,2024-10-07T21:15:00.000Z,0
CVE-2024-43789,https://securityvulnerability.io/vulnerability/CVE-2024-43789,Discourse Platform Patches Potential Availability Reduction Vulnerability,"Discourse is an open source platform for community discussion. A user can create a post with many replies, and then attempt to fetch them all at once. This can potentially reduce the availability of a Discourse instance. This problem has been patched in the latest version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability.",Discourse,Discourse,4.3,MEDIUM,0.00044999999227002263,false,true,false,true,,false,false,2024-10-07T21:15:00.000Z,0
CVE-2024-45051,https://securityvulnerability.io/vulnerability/CVE-2024-45051,Attackers Can Bypass Domain-Based Restrictions in Discourse Due to Recent Vulnerability,"A critical vulnerability exists in Discourse, an open-source platform for community discussion, which allows an attacker to utilize a crafted email address to circumvent domain-based restrictions. This exploitation enables unauthorized access to private sites, categories, and groups within the platform. The issue has been addressed in the latest versions of Discourse, and all users are strongly urged to upgrade as there are no existing workarounds. Ensuring that your Discourse installation is up-to-date is essential for maintaining security.",Discourse,Discourse,8.2,HIGH,0.0008699999889358878,false,false,false,false,,false,false,2024-10-07T21:15:00.000Z,0
CVE-2024-45297,https://securityvulnerability.io/vulnerability/CVE-2024-45297,Discourse Patches Security Vulnerability Affecting All Users,"Discourse is an open source platform for community discussion. Users can see topics with a hidden tag if they know the label/name of that tag. This issue has been patched in the latest stable, beta and tests-passed version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability.",Discourse,Discourse,4.3,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-10-07T21:15:00.000Z,0
CVE-2024-45303,https://securityvulnerability.io/vulnerability/CVE-2024-45303,,Discourse Calendar plugin adds the ability to create a dynamic calendar in the first post of a topic to Discourse. Rendering event names can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. The issue is patched in version 0.5 of the Discourse Calendar plugin.,Discourse,Calendar,6.1,MEDIUM,0.0004600000102072954,false,false,false,false,,false,false,2024-09-12T19:15:00.000Z,0
CVE-2024-21658,https://securityvulnerability.io/vulnerability/CVE-2024-21658,Dynamic Calendar Vulnerability Affects Discourse Instances,discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible.,Discourse,Discourse-calendar,4.3,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-08-30T17:18:40.593Z,0
CVE-2024-43408,https://securityvulnerability.io/vulnerability/CVE-2024-43408,Discourse Placeholder Forms has a XSS stopped by CSP,Discourse Placeholder Forms will let you build dynamic documentation. Unsanitized and stored user input was injected in the html of the post. The vulnerability is fixed in commit a62f711d5600e4e5d86f342d52932cb6221672e7.,Discourse,Discourse-placeholder-theme-component,6.3,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-08-20T17:15:00.000Z,0
CVE-2024-39320,https://securityvulnerability.io/vulnerability/CVE-2024-39320,Open source discussion platform vulnerability fix,"Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.",Discourse,Discourse,6.1,MEDIUM,0.0005200000014156103,false,false,false,false,,false,false,2024-07-30T14:33:48.589Z,0
CVE-2024-37299,https://securityvulnerability.io/vulnerability/CVE-2024-37299,Discourse vulnerability affects very long tag group names,"A vulnerability in the Discourse discussion platform allows attackers to craft specific requests that submit excessively long tag group names. This can lead to a reduction in the availability of Discourse instances, impacting users and administrators. The issue has been addressed in versions 3.2.5 and 3.3.0.beta5, enhancing the platform's resilience against potential disruptions caused by input validation flaws.",Discourse,Discourse,7.5,HIGH,0.0005300000193528831,false,false,false,false,,false,false,2024-07-30T14:22:36.367Z,0
CVE-2024-37165,https://securityvulnerability.io/vulnerability/CVE-2024-37165,Discourse Fixes XSS Vulnerability in 3.2.3 and 3.3.0.beta3,"Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3.",Discourse,Discourse,6.1,MEDIUM,0.0005200000014156103,false,false,false,false,,false,false,2024-07-30T14:10:24.804Z,0
CVE-2024-38360,https://securityvulnerability.io/vulnerability/CVE-2024-38360,Moderators can reduce availability of Discourse instances by creating long words,"Discourse is an open source platform for community discussion. In affected versions by creating replacement words with an almost unlimited number of characters, a moderator can reduce the availability of a Discourse instance. This issue has been addressed in stable version 3.2.3 and in current betas. Users are advised to upgrade. Users unable to upgrade may manually remove the long watched words either via SQL or Rails console.",Discourse,,,,0.0004299999854993075,false,false,false,false,,false,false,2024-07-15T20:15:00.000Z,0
CVE-2024-37157,https://securityvulnerability.io/vulnerability/CVE-2024-37157,FastImage Library Vulnerability Affects Discourse Platform,"Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, a malicious actor could get the FastImage library to redirect requests to an internal Discourse IP. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. No known workarounds are available.",Discourse,Discourse,5.3,MEDIUM,0.0005200000014156103,false,false,false,false,,false,false,2024-07-03T20:15:00.000Z,0
CVE-2024-36122,https://securityvulnerability.io/vulnerability/CVE-2024-36122,Email Addresses of Users Visible to Moderators in Review Queue Prior to Certain Versions,"Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses setting is disabled. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. As possible workarounds, either prevent moderators from accessing the review queue or disable the approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue.",Discourse,Discourse,4.3,MEDIUM,0.0005200000014156103,false,false,false,false,,false,false,2024-07-03T20:15:00.000Z,0
CVE-2024-36113,https://securityvulnerability.io/vulnerability/CVE-2024-36113,"Rogue Staff User Could Suspend Other Staff Users, Patched in Latest Versions","Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available.",Discourse,Discourse,6.5,MEDIUM,0.0005000000237487257,false,false,false,false,,false,false,2024-07-03T19:15:00.000Z,0
CVE-2024-35234,https://securityvulnerability.io/vulnerability/CVE-2024-35234,Arbitrary JavaScript Execution Vulnerability Affects Discourse Sites Without CSP,"Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta tags. This issue only affects sites with Content Security Polic (CSP) disabled. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. As a workaround, ensure CSP is enabled on the forum.",Discourse,Discourse,6.1,MEDIUM,0.0005200000014156103,false,false,false,false,,false,false,2024-07-03T19:15:00.000Z,0
CVE-2024-35227,https://securityvulnerability.io/vulnerability/CVE-2024-35227,Carefully crafted malicious URL can reduce Discourse instance availability,"A vulnerability exists in the Discourse open-source discussion platform where the Oneboxing feature can be exploited using a carefully crafted malicious URL. This may lead to reduced availability of the Discourse instance. The vulnerability impacts versions prior to 3.2.3 on the stable branch and 3.3.0.beta3 on the tests-passed branch. Users are advised to upgrade to the specified patched versions, as there are currently no workarounds available to mitigate this issue.",Discourse,Discourse,7.5,HIGH,0.00044999999227002263,false,false,false,false,,false,false,2024-07-03T18:15:00.000Z,0
CVE-2024-35168,https://securityvulnerability.io/vulnerability/CVE-2024-35168,Missing Authorization Vulnerability Affects WP Discourse from n/a through 2.5.1,Missing Authorization vulnerability in Discourse WP Discourse.This issue affects WP Discourse: from n/a through 2.5.1.,Discourse,WP Discourse,4.3,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-06-11T14:40:31.052Z,0
CVE-2024-31219,https://securityvulnerability.io/vulnerability/CVE-2024-31219,Reactions on Whispers: A New Feature for Public Topics,"Discourse-reactions is a plugin that allows user to add their reactions to the post. When whispers are enabled on a site via `whispers_allowed_groups` and reactions are made on whispers on public topics, the contents of the whisper and the reaction data are shown on the `/u/:username/activity/reactions` endpoint.
",Discourse,Discourse-reactions,4.3,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-04-15T18:00:14.783Z,0
CVE-2024-27085,https://securityvulnerability.io/vulnerability/CVE-2024-27085,Arbitrary Data Injection Vulnerability in Discourse Affects Users,"Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable invites or restrict access to them using the `invite allowed groups` site setting. ",Discourse,Discourse,6.5,MEDIUM,0.0004299999854993075,false,false,false,false,,false,false,2024-03-15T19:22:46.937Z,0