CVE-2024-23834

EPSS 0.51%
Veröffentlicht 30.01.2024 22:15:53
Zuletzt bearbeitet 21.11.2024 08:58:31
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Discourse is an open-source discussion platform. Improperly sanitized user input could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. The vulnerability is patched in 3.1.5 and 3.2.0.beta5.  As a workaround, ensure Content Security Policy is enabled and does not include `unsafe-inline`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Discourse ≫ Discourse SwEditionstable Version < 3.1.5

Discourse ≫ Discourse SwEditionbeta Version < 3.2.0

Discourse ≫ Discourse Version3.2.0 Updatebeta1 SwEditionbeta

Discourse ≫ Discourse Version3.2.0 Updatebeta2 SwEditionbeta

Discourse ≫ Discourse Version3.2.0 Updatebeta3 SwEditionbeta

Discourse ≫ Discourse Version3.2.0 Updatebeta4 SwEditionbeta

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.51%	0.66

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/discourse/discourse/commit/568d704a94c528b7c2cb0f3512a7b7b606bc3000

Patch

https://github.com/discourse/discourse/security/advisories/GHSA-rj3g-8q6p-63pc

Vendor Advisory

https://meta.discourse.org/t/3-1-5-security-and-bug-fix-release/293094

Vendor Advisory

Release Notes

https://meta.discourse.org/t/3-2-0-beta5-add-groups-to-dms-mobile-chat-footer-redesign-passkeys-enabled-by-default-and-more/293093

Vendor Advisory

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2024-23834

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-23834

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-23834

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-23834