Discourse 3.3.2 Stable Release
Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.
Security Updates
This release includes fixes for these security issues reported by our community and HackerOne.
- DoS by the absence of restrictions on replies to posts (CVE-2024-43789)
- Bypass of email address validation via encoded email addresses (CVE-2024-45051)
- Prevent topic list filtering by hidden tags for unauthorized users (CVE-2024-45297)
- XSS via chat excerpts when CSP disabled (CVE-2024-47772)
- Anonymous cache poisoning via XHR requests (CVE-2024-47773)