Highjomaxro

**Name of the Vulnerable Software and Affected Versions** Discourse versions 3.1.0 through 3.1.2 Discourse versions 3.1.0,beta6 through 3.2.0.beta2 **Description** Discourse is an open source platform for community discussion. In the affected versions, Redis memory can be depleted by crafting a site with an abnormally long favicon URL and drafting multiple posts which Onebox it. **Recommendations** For Discourse versions 3.1.0 through 3.1.2, update to version 3.1.3 or later. For Discourse versions 3.1.0,beta6 through 3.2.0.beta2, update to version 3.2.0.beta3 or later.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 3.0.1 of the `stable` branch Discourse versions prior to 3.1.0.beta2 of the `beta` and `tests-passed` branches **Description** Discourse is an open-source discussion platform. A maliciously crafted URL can be included in a user's full name field to carry out cross-site scripting attacks on sites with a disabled or overly permissive Content Security Policy (CSP). Discourse's default CSP prevents this issue. **Recommendations** For versions prior to 3.0.1 of the `stable` branch, update to version 3.0.1 or later. For versions prior to 3.1.0.beta2 of the `beta` and `tests-passed` branches, update to version 3.1.0.beta2 or later. As a temporary workaround, enable and/or restore your site's CSP to the default one provided with Discourse.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 2.8.14 on the stable branch Discourse versions prior to 3.0.0.beta16 on the beta and tests-passed branches **Description** The issue concerns a cross-site scripting attack through pending post titles, which can be created by unprivileged users in categories requiring moderator approval. This can lead to a full XSS on sites with modified or disabled Content Security Policy. **Recommendations** For versions prior to 2.8.14 on the stable branch, update to version 2.8.14 or later. For versions prior to 3.0.0.beta16 on the beta and tests-passed branches, update to version 3.0.0.beta16 or later. As a temporary workaround, consider restricting the creation of pending posts in categories with the "require moderator approval of all new topics" setting set, until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Discourse (affected versions not specified) **Description** The issue affects the Discourse open source discussion platform, where in rare cases, users redeeming an invitation can be added as a participant to several private message topics they should not have access to, without being notified. This happens transparently in the background. **Recommendations** To resolve the issue, users are advised to upgrade to a future release that includes the fix. As a temporary workaround, consider setting `SiteSetting.max invites per day` to 0 until the patch is installed.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to the latest stable, beta, and test-passed versions **Description** A malicious admin could exploit this issue to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. **Recommendations** For all versions prior to the latest stable, beta, and test-passed versions, update to the latest version to resolve the issue. As a temporary workaround, self-hosters can use the `DISCOURSE BLOCKED IP BLOCKS` env var to stop webhooks from accessing private IPs.