Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.
- BCC active user emails from group SMTP CVE-2022-46168
- Sanitize PendingPost titles before rendering to prevent XSS CVE-2023-22454
- Don’t expose user post counts to users who can’t see the topic CVE-2023-22453
- Escape quotes in tag description when rendering CVE-2023-22455
- Check the length of raw post body to prevent max_length bypass CVE-2022-23549
- Delete email tokens when a user’s email is changed or deleted CVE-2022-46177
- Use rstrip instead of regex gsub to prevent ReDOS CVE-2022-23548
- Convert send_digest to a post request CVE-2022-23546
The mermaid theme component has also received a security fix. Be sure to update theme components in addition to Discourse.
- Render errors as plain text CVE-2022-46180