3.3.2: Security and maintenance release

Discourse 3.3.2 Stable Release

Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.

Security Updates

This release includes fixes for these security issues reported by our community and HackerOne.

  • DoS by the absence of restrictions on replies to posts (CVE-2024-43789)
  • Bypass of email address validation via encoded email addresses (CVE-2024-45051)
  • Prevent topic list filtering by hidden tags for unauthorized users (CVE-2024-45297)
  • XSS via chat excerpts when CSP disabled (CVE-2024-47772)
  • Anonymous cache poisoning via XHR requests (CVE-2024-47773)
12 Likes