Highpmusaraj

Name of the Vulnerable Software and Affected Versions: Discourse versions prior to 3.3.3 Description: This issue affects Discourse instances configured to use `FileStore::LocalStore`, where uploads and backups are stored locally on disk. If an attacker knows the name of the Discourse backup file, they can trick nginx into sending the Discourse backup file with a well-crafted request. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. Recommendations: For Discourse versions prior to 3.3.3, update to stable 3.3.3, beta 3.4.0.beta4, or tests-passed 3.4.0.beta4 to safeguard your data. As a temporary workaround, consider downloading all local backups to another storage device, disabling the `enable backups` site setting, and deleting all backups until the site has been upgraded to pull in the fix. Alternatively, change the `backup location` site setting to `s3` so that backups are stored and downloaded directly from S3.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 2.8.13 Discourse version 3.0.0.beta16 and earlier in the beta and tests-passed channels **Description** The issue allows a maliciously crafted URL to be included in a post to carry out cross-site scripting attacks on sites with disabled or overly permissive Content Security Policy (CSP). Discourse's default CSP prevents this issue. **Recommendations** For versions prior to 2.8.13, update to version 2.8.13 or later. For version 3.0.0.beta16 and earlier in the beta and tests-passed channels, update to version 3.0.0.beta16 or later. As a temporary workaround, enable and/or restore your site's CSP to the default one provided with Discourse.

**Name of the Vulnerable Software and Affected Versions** Discourse (affected versions not specified) **Description** The issue allows a logged-in user to redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. This flaw can lead to a user being incorrectly added to restricted groups, potentially allowing them to view restricted content. **Recommendations** To resolve the issue, users are advised to upgrade to the current stable releases. At the moment, there is no information about specific versions that contain a fix for this vulnerability.