Discourse 3.3.0 Beta 4 Beta Branch

CPE Details

Discourse 3.3.0 Beta 4 Beta Branch
discourse
discourse
3.3.0
2024-09-16
18h53 +00:00
2024-09-16
18h53 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:discourse:discourse:3.3.0:beta4:*:*:beta:*:*:*

Informations

Vendor

discourse

Product

discourse

Version

3.3.0

Update

beta4

Software Edition

beta

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2024-47772 2024-10-07 20h50 +00:00 Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of Discourse. All users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum. Users who do upgrade should also consider enabling a CSP as well as a proactive measure.
6.5
Medium
CVE-2024-43789 2024-10-07 20h24 +00:00 Discourse is an open source platform for community discussion. A user can create a post with many replies, and then attempt to fetch them all at once. This can potentially reduce the availability of a Discourse instance. This problem has been patched in the latest version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability.
7.5
High
CVE-2024-45297 2024-10-07 20h24 +00:00 Discourse is an open source platform for community discussion. Users can see topics with a hidden tag if they know the label/name of that tag. This issue has been patched in the latest stable, beta and tests-passed version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability.
5.3
Medium
CVE-2024-45051 2024-10-07 20h23 +00:00 Discourse is an open source platform for community discussion. A maliciously crafted email address could allow an attacker to bypass domain-based restrictions and gain access to private sites, categories and/or groups. This issue has been patched in the latest stable, beta and tests-passed version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability.
8.2
High
CVE-2024-39320 2024-07-30 14h33 +00:00 Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.
6.1
Medium
CVE-2024-37299 2024-07-30 14h22 +00:00 Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, crafting requests to submit very long tag group names can reduce the availability of a Discourse instance. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.
7.5
High
CVE-2021-41082 2021-09-20 18h20 +00:00 Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were not able to view the posts in the leaked private message despite seeing it in their inbox. The problematic commit was reverted around 32 minutes after it was made. Users are encouraged to upgrade to the latest commit if they are running Discourse against the `tests-passed` branch.
7.5
High