Search
Search Results (266 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-32764 | 1 Discourse | 1 Discourse | 2024-11-21 | 8.1 High |
| Discourse is an open-source discussion platform. In Discourse versions 2.7.5 and prior, parsing and rendering of YouTube Oneboxes can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy. The issue is patched in `stable` version 2.7.6, `beta` version 2.8.0.beta3, and `tests-passed` version 2.8.0.beta3. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks. | ||||
| CVE-2020-24327 | 1 Discourse | 1 Discourse | 2024-11-21 | 5.3 Medium |
| Server Side Request Forgery (SSRF) vulnerability exists in Discourse 2.3.2 and 2.6 via the email function. When writing an email in an editor, you can upload pictures of remote websites. | ||||
| CVE-2019-15515 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A |
| Discourse 2.3.2 sends the CSRF token in the query string. | ||||
| CVE-2019-1020018 | 1 Discourse | 1 Discourse | 2024-11-21 | 7.3 High |
| Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via an email link. | ||||
| CVE-2019-1020017 | 1 Discourse | 1 Discourse | 2024-11-21 | 5.3 Medium |
| Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP. | ||||
| CVE-2024-21658 | 1 Discourse | 1 Discourse Calendar | 2024-09-05 | 4.3 Medium |
| discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible. | ||||