OsamaSayegh

9 exploits Active since Sep 2022
CVE-2022-46177 WRITEUP MEDIUM WRITEUP
Discourse <2.8.14 - stable & <3.0.0.beta16 - beta & tests-passed - ...
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting `email_token_valid_hours` which is currently 48 hours. Users should upgrade to versions 2.8.14 or 3.0.0.beta15 to receive a patch. As a workaround, lower `email_token_valid_hours ` as needed.
CVSS 5.7
CVE-2023-25172 WRITEUP MEDIUM WRITEUP
Discourse < 3.0.1 and < 3.1.0.beta2 - Cross-Site Scripting via User Full Name Field
Discourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, a maliciously crafted URL can be included in a user's full name field to to carry out cross-site scripting attacks on sites with a disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. The vulnerability is patched in version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches. As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.
CVSS 4.4
CVE-2023-37467 WRITEUP MEDIUM WRITEUP
Discourse beta and tests-passed < 3.1.0.beta7 - Unauthenticated Cross-Site Scripting via CSP Nonce Reuse
Discourse is an open source discussion platform. Prior to version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a CSP (Content Security Policy) nonce reuse vulnerability was discovered could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous (i.e. unauthenticated) users. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to bypass CSP and execute successfully. This vulnerability isn't applicable to logged-in users. Version 3.1.0.beta7 contains a patch. The stable branch doesn't have this vulnerability. A workaround to prevent the vulnerability is to disable Google Tag Manager, i.e., unset the `gtm container id` setting.
CVSS 6.8
CVE-2024-36113 WRITEUP MEDIUM WRITEUP
Discourse <3.2.3-3.3.0.beta4-dev - Privilege Escalation
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available.
CVSS 4.9
CVE-2022-36066 WRITEUP CRITICAL WRITEUP
Discourse <2.8.9-2.9.0.beta10 - RCE
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution. The problem is patched in version 2.8.9 on the `stable` branch and version 2.9.0.beta10 on the `beta` and `tests-passed` branches. There are no known workarounds.
CVSS 9.1
CVE-2022-46177 WRITEUP MEDIUM WRITEUP
Discourse <2.8.14 - stable & <3.0.0.beta16 - beta & tests-passed - ...
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting `email_token_valid_hours` which is currently 48 hours. Users should upgrade to versions 2.8.14 or 3.0.0.beta15 to receive a patch. As a workaround, lower `email_token_valid_hours ` as needed.
CVSS 5.7
CVE-2023-25172 WRITEUP MEDIUM WRITEUP
Discourse < 3.0.1 and < 3.1.0.beta2 - Cross-Site Scripting via User Full Name Field
Discourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, a maliciously crafted URL can be included in a user's full name field to to carry out cross-site scripting attacks on sites with a disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. The vulnerability is patched in version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches. As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.
CVSS 4.4
CVE-2024-36113 WRITEUP MEDIUM WRITEUP
Discourse <3.2.3-3.3.0.beta4-dev - Privilege Escalation
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available.
CVSS 4.9
CVE-2024-53851 WRITEUP MEDIUM WRITEUP
Discourse < 3.3.3 and < 3.4.0 - Authenticated Denial of Service via Inline Onebox URL Endpoint
Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This vulnerability is only exploitable by authenticated users. This issue has been patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade should turn off the `enable inline onebox on all domains` site setting and remove all entries from the `allowed inline onebox domains` site setting.
CVSS 4.3