Discourse Program Statistics

View program

16 total issues disclosed

$5,312 total paid publicly

Most disclosed (6 disclosures) — Cross-site Scripting (XSS) - Generic

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account Cross-Site Request Forgery (CSRF) avinash_ High 2018-12-06
CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception) Cross-Site Request Forgery (CSRF) fransrosen Low 2018-08-08
Stored XSS in "post last edited" option Cross-site Scripting (XSS) - Stored luigigubello High 2018-07-09
Gaining access to private topics using quoting feature Improper Access Control - Generic mishre High 2018-03-17
Any user with invite capabilities can take-over any account on Discourse None supplied mishre Critical 2017-11-06
SSRF in upload IMG through URL Information Disclosure afine-team Low 2017-06-18
Any authenticated user can download full list of users, including email Privacy Violation arkadiyt Medium 2017-06-17
Admin Command Injection via username in user_archive ExportCsvFile Command Injection - Generic ziot High 2017-05-13
Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks Information Disclosure ziot High 2017-05-13
Stored XSS in topics because of whitelisted_generic engine vulnerability Cross-site Scripting (XSS) - Generic skavans High 2017-01-21
XSS in topics because of bandcamp preview engine vulnerability Cross-site Scripting (XSS) - Generic skavans High 2017-01-21
Stored XSS in posts because of absence of oembed variables values escaping Cross-site Scripting (XSS) - Generic skavans High 2017-01-21
Users can bookmark other user's messages Privilege Escalation strukt Medium 2017-01-10
XSS Vulnerability on Image link parser Cross-site Scripting (XSS) - Generic alberto__segura High 2017-01-10
XSS vulnerability on Audio and Video parsers Cross-site Scripting (XSS) - Generic alberto__segura High 2017-01-10
DOM Based XSS in Discourse Search Cross-site Scripting (XSS) - Generic babayaga_ High 2017-01-10