cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-53266,https://securityvulnerability.io/vulnerability/CVE-2024-53266,Cross-Site Scripting Vulnerability in Discourse by Discourse,"Discourse, an open-source community platform, is susceptible to a Cross-Site Scripting (XSS) vulnerability when certain plugins are used, especially if Content Security Policy (CSP) is disabled. This flaw allows potentially malicious scripts to be executed within the activity streams on users' profile pages, which could compromise user data and experience. Although a patch has been released in the latest version of Discourse core, users who are unable to upgrade are highly recommended to enable CSP to mitigate this risk.",Discourse,Discourse,4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-02-04T21:18:19.591Z,0
CVE-2024-53851,https://securityvulnerability.io/vulnerability/CVE-2024-53851,Denial of Service Vulnerability in Discourse by Open Source Community,"Discourse, an open-source community discussion platform, suffers from a denial of service vulnerability due to improper URL limit enforcement in its inline onebox generation feature. Authenticated users can exploit this by sending excessive URL requests, potentially leading to service disruption. This issue has been mitigated in the latest stable, beta, and tests-passed releases of Discourse. Users unable to upgrade should disable the inline onebox feature for all domains and clear the allowed inline onebox domains to safeguard against this vulnerability.",Discourse,Discourse,4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-02-04T21:16:42.089Z,0
CVE-2024-53994,https://securityvulnerability.io/vulnerability/CVE-2024-53994,Open Source Community Discussion Platform Vulnerability in Discourse,"A vulnerability in the Discourse community discussion platform allows users who have disabled chat preferences to still be reachable under certain conditions. This flaw highlights an improper configuration within the platform regarding user privacy settings. The issue has been addressed in the latest release of Discourse, and users are encouraged to upgrade promptly. For those unable to perform the upgrade, the temporary solution is to disable the chat plugin via site settings to mitigate potential risks.",Discourse,Discourse,4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-02-04T21:12:23.126Z,0
CVE-2024-55948,https://securityvulnerability.io/vulnerability/CVE-2024-55948,XSRF Vulnerability in Discourse Community Forum Software,"An identified vulnerability in the Discourse platform allows for the potential exploitation via crafted XHR requests that can poison the anonymous cache. This issue specifically affects anonymous visitors, leading to responses that might lack essential preloaded data. Despite its impact, the situation can be mitigated by upgrading to the latest version of Discourse. For users unable to implement the update, a temporary fix is to disable the anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value. For more details, refer to the official advisory.",Discourse,Discourse,8.2,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-02-04T21:01:59.746Z,0
CVE-2024-56197,https://securityvulnerability.io/vulnerability/CVE-2024-56197,Improper Access Control in Discourse Community Platform,"An issue in the Discourse community platform allows unauthorized users to read private message (PM) titles and metadata when certain group settings are enabled. Specifically, if the 'PM tags allowed for groups' option is activated and a user is a member of a group with PM tagging, they may access sensitive information from PMs that should be restricted. This vulnerability has been addressed in the latest versions of Discourse, and users are strongly encouraged to update their installations. For those who cannot upgrade immediately, it is recommended to disable the 'PM tags allowed for groups' option to mitigate the risk.",Discourse,Discourse,2.2,LOW,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-02-04T20:59:13.464Z,0
CVE-2024-56328,https://securityvulnerability.io/vulnerability/CVE-2024-56328,Cross-Site Scripting Vulnerability in Discourse Community Platform,"A vulnerability exists within the Discourse platform that allows an attacker to execute arbitrary JavaScript in the browser of unsuspecting users through maliciously crafted Onebox URLs. This vulnerability specifically impacts instances where Content Security Policy (CSP) is disabled. It is crucial for users to upgrade to the latest version of Discourse to mitigate this security risk. For those who cannot upgrade immediately, enabling CSP, disabling inline Oneboxes globally, or allowing specific domains for Oneboxing are recommended mitigation strategies.",Discourse,Discourse,6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-02-04T20:55:17.223Z,0
CVE-2025-22601,https://securityvulnerability.io/vulnerability/CVE-2025-22601,Account Manipulation Vulnerability in Discourse by Discourse,"A vulnerability in Discourse allows attackers to exploit the `activate-account` route to manipulate a target user's account by crafting specially designed links. When a user clicks on such a link, they may unintentionally change their username, leading to potential security risks for their account. The vulnerability has been addressed in the latest version of Discourse, and users are strongly encouraged to upgrade to protect their accounts. Currently, there are no known workarounds for this issue, making immediate action essential.",Discourse,Discourse,3.1,LOW,0.0004400000034365803,false,,false,false,false,,false,false,false,,2025-02-04T20:53:11.983Z,0
CVE-2025-22602,https://securityvulnerability.io/vulnerability/CVE-2025-22602,JavaScript Injection Vulnerability in Discourse by Discourse,"Discourse is a widely used open source platform designed for community discussions. In certain versions, a vulnerability exists that allows attackers to inject arbitrary JavaScript into users' browsers through a specially crafted video placeholder HTML element. This security issue arises specifically on sites that have Content Security Policy (CSP) disabled, exposing users to potential malicious scripts. To mitigate this risk, users are strongly encouraged to upgrade to the latest version of Discourse, where this vulnerability has been patched. For those unable to perform an upgrade, enabling CSP may provide an additional layer of protection against this type of attack.",Discourse,Discourse,6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-02-04T20:51:56.909Z,0
CVE-2025-23023,https://securityvulnerability.io/vulnerability/CVE-2025-23023,Cache Poisoning Vulnerability in Discourse by Discourse,"In Discourse, a widely used open-source community discussion platform, a cache poisoning vulnerability allows an attacker to craft malicious requests aimed at manipulating the anonymous cache. This manipulation can lead to responses that lack essential preloaded data, affecting the experience of anonymous visitors. To mitigate this issue, users are strongly encouraged to update to the latest version of Discourse. For those unable to perform the upgrade, it is advisable to disable the anonymous cache by configuring the `DISCOURSE_DISABLE_ANON_CACHE` environment variable appropriately.",Discourse,Discourse,8.2,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-02-04T20:48:53.343Z,0
CVE-2024-54142,https://securityvulnerability.io/vulnerability/CVE-2024-54142,HTML Entity Exposure in Discourse AI Plugin by Discourse,"The Discourse AI plugin introduces a vulnerability that could potentially expose HTML entities present in conversations when shared in posts. If a user visits a post featuring a onebox linked to a conversation, these HTML entities may inadvertently leak into the Discourse application. The issue has been mitigated in a recent commit, and users are strongly encouraged to update their installations. For those unable to update, it is recommended to modify the 'ai bot public sharing allowed groups' site setting to prevent such leakage.",Discourse,Discourse-ai,9.1,CRITICAL,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-14T23:15:00.000Z,0
CVE-2024-52589,https://securityvulnerability.io/vulnerability/CVE-2024-52589,Email Exposure Vulnerability in Discourse Community Platform,"CVE-2024-52589 identifies a vulnerability within the Discourse community platform that exposes user email addresses. Moderators with access to the admin dashboard can view screened email lists, potentially compromising user privacy. This vulnerability is crucial for site administrators to address to safeguard user information. The issue has been resolved in the latest patched version of Discourse. Admins concerned about security should ensure their systems are updated or restrict moderator access to prevent unauthorized exposure of user data.",Discourse,,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-19T20:15:00.000Z,0
CVE-2024-52794,https://securityvulnerability.io/vulnerability/CVE-2024-52794,Severe Vulnerability in Discourse Community Platform Affecting Thumbnail Features,"CVE-2024-52794 represents a significant security vulnerability in the Discourse community platform that affects users interacting with lightbox thumbnails. This flaw can potentially allow unauthorized access or manipulation of content when users click on these thumbnails, which can lead to further exploitation. As there are currently no workarounds available, it is crucial for users to immediately upgrade to the latest version of Discourse, where the issue has been successfully patched. Prompt action is essential to maintain the integrity and security of community discussions hosted on the platform.",Discourse,,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-19T20:15:00.000Z,0
CVE-2024-49765,https://securityvulnerability.io/vulnerability/CVE-2024-49765,Local Login Bypass Vulnerability in Discourse Community Platform,"CVE-2024-49765 is a significant local login bypass vulnerability affecting the Discourse community platform. This flaw allows attackers to exploit systems that have the Discourse Connect feature enabled while still allowing local logins. Consequently, attackers can create accounts and log in without proper authorization. To mitigate this risk, users are strongly advised to upgrade to the latest version of Discourse, which includes a patch for this vulnerability. For users unable to upgrade immediately, a temporary workaround is to disable all local login methods to secure their platforms.",Discourse,,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-19T20:15:00.000Z,0
CVE-2024-53991,https://securityvulnerability.io/vulnerability/CVE-2024-53991,Local File Exposure Vulnerability in Discourse Community Platform,"CVE-2024-53991 is a critical local file exposure vulnerability that affects instances of the Discourse community discussion platform, specifically those configured to use `FileStore::LocalStore` for local uploads and backups. This vulnerability allows an attacker who knows the name of a Discourse backup file to craft a malicious request, effectively tricking the web server (nginx) into serving the sensitive backup files directly. To mitigate this risk, it is vital for users to upgrade to the latest stable, beta, or tests-passed Discourse versions. For users unable to perform the upgrade immediately, it is recommended to either back up local files to an external storage device, disable backup functionality, or change backup storage settings to Amazon S3 to enhance security.",Discourse,,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-19T20:15:00.000Z,0
CVE-2024-47773,https://securityvulnerability.io/vulnerability/CVE-2024-47773,Anonymous Cache Poisoning Vulnerability in Discourse Affects Only Anonymous Visitors,"A vulnerability exists in the Discourse platform, an open-source solution for community discussions, allowing attackers to exploit a cache poisoning issue. This vulnerability primarily affects anonymous visitors who may encounter manipulated responses due to repeatedly made XHR requests. Once attacked, the cache can deliver unauthorized content, compromising the integrity of user interactions. The issue has been addressed in the latest version of Discourse, and users are strongly encouraged to upgrade. Those who cannot upgrade should disable the anonymous cache by configuring the `DISCOURSE_DISABLE_ANON_CACHE` environment variable accordingly.",Discourse,Discourse,8.2,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-10-08T18:01:14.063Z,0
CVE-2024-45051,https://securityvulnerability.io/vulnerability/CVE-2024-45051,Attackers Can Bypass Domain-Based Restrictions in Discourse Due to Recent Vulnerability,"A critical vulnerability exists in Discourse, an open-source platform for community discussion, which allows an attacker to utilize a crafted email address to circumvent domain-based restrictions. This exploitation enables unauthorized access to private sites, categories, and groups within the platform. The issue has been addressed in the latest versions of Discourse, and all users are strongly urged to upgrade as there are no existing workarounds. Ensuring that your Discourse installation is up-to-date is essential for maintaining security.",Discourse,Discourse,8.2,HIGH,0.0008699999889358878,false,,false,false,false,,,false,false,,2024-10-07T21:15:00.000Z,0
CVE-2024-43789,https://securityvulnerability.io/vulnerability/CVE-2024-43789,Discourse Platform Patches Potential Availability Reduction Vulnerability,"Discourse is an open source platform for community discussion. A user can create a post with many replies, and then attempt to fetch them all at once. This can potentially reduce the availability of a Discourse instance. This problem has been patched in the latest version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability.",Discourse,Discourse,4.3,MEDIUM,0.00044999999227002263,false,,true,false,true,2024-10-19T16:31:05.000Z,,false,false,,2024-10-07T21:15:00.000Z,0
CVE-2024-47772,https://securityvulnerability.io/vulnerability/CVE-2024-47772,Cross-site Scripting (XSS) via chat excerpts when content security policy (CSP) disabled in Discourse,Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of Discourse. All users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum. Users who do upgrade should also consider enabling a CSP as well as a proactive measure.,Discourse,Discourse,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-10-07T21:15:00.000Z,0
CVE-2024-45297,https://securityvulnerability.io/vulnerability/CVE-2024-45297,Discourse Patches Security Vulnerability Affecting All Users,"Discourse is an open source platform for community discussion. Users can see topics with a hidden tag if they know the label/name of that tag. This issue has been patched in the latest stable, beta and tests-passed version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability.",Discourse,Discourse,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-10-07T21:15:00.000Z,0
CVE-2024-45303,https://securityvulnerability.io/vulnerability/CVE-2024-45303,Cross-Site Scripting Vulnerability in Discourse Calendar Plugin,"The Discourse Calendar plugin enables users to create interactive calendars in discussion topics. However, a vulnerability in versions prior to 0.5 allows attackers to perform Cross-Site Scripting (XSS) attacks through event names if the site's default Content Security Policy (CSP) is modified or disabled. This could lead to unauthorized script execution in the context of a user's session, making it imperative for site administrators to update to the patched version to safeguard against such attacks.",Discourse,Calendar,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-09-12T19:15:00.000Z,0
CVE-2024-21658,https://securityvulnerability.io/vulnerability/CVE-2024-21658,Dynamic Calendar Vulnerability Affects Discourse Instances,discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible.,Discourse,Discourse-calendar,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-08-30T17:18:40.593Z,0
CVE-2024-43408,https://securityvulnerability.io/vulnerability/CVE-2024-43408,Discourse Placeholder Forms has a XSS stopped by CSP,Discourse Placeholder Forms will let you build dynamic documentation. Unsanitized and stored user input was injected in the html of the post. The vulnerability is fixed in commit a62f711d5600e4e5d86f342d52932cb6221672e7.,Discourse,Discourse-placeholder-theme-component,6.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-08-20T17:15:00.000Z,0
CVE-2024-39320,https://securityvulnerability.io/vulnerability/CVE-2024-39320,Open source discussion platform vulnerability fix,"Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.",Discourse,Discourse,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-07-30T14:33:48.589Z,0
CVE-2024-37299,https://securityvulnerability.io/vulnerability/CVE-2024-37299,Discourse vulnerability affects very long tag group names,"A vulnerability in the Discourse discussion platform allows attackers to craft specific requests that submit excessively long tag group names. This can lead to a reduction in the availability of Discourse instances, impacting users and administrators. The issue has been addressed in versions 3.2.5 and 3.3.0.beta5, enhancing the platform's resilience against potential disruptions caused by input validation flaws.",Discourse,Discourse,7.5,HIGH,0.0005300000193528831,false,,false,false,false,,,false,false,,2024-07-30T14:22:36.367Z,0
CVE-2024-37165,https://securityvulnerability.io/vulnerability/CVE-2024-37165,Discourse Fixes XSS Vulnerability in 3.2.3 and 3.3.0.beta3,"Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3.",Discourse,Discourse,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-07-30T14:10:24.804Z,0