6.3

CVE-2024-23834

Discourse improperly sanitized user input leads to XSS

Discourse is an open-source discussion platform. Improperly sanitized user input could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. The vulnerability is patched in 3.1.5 and 3.2.0.beta5.  As a workaround, ensure Content Security Policy is enabled and does not include `unsafe-inline`.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DiscourseDiscourse SwEditionstable Version < 3.1.5
DiscourseDiscourse SwEditionbeta Version < 3.2.0
DiscourseDiscourse Version3.2.0 Updatebeta1 SwEditionbeta
DiscourseDiscourse Version3.2.0 Updatebeta2 SwEditionbeta
DiscourseDiscourse Version3.2.0 Updatebeta3 SwEditionbeta
DiscourseDiscourse Version3.2.0 Updatebeta4 SwEditionbeta
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.49% 0.38
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 6.3 2.8 3.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/discourse/discourse/commit/568d704a94c528b7c2cb0f3512a7b7b606bc3000
Patch
https://github.com/discourse/discourse/security/advisories/GHSA-rj3g-8q6p-63pc
Vendor Advisory
https://meta.discourse.org/t/3-1-5-security-and-bug-fix-release/293094
Vendor Advisory
Release Notes
https://meta.discourse.org/t/3-2-0-beta5-add-groups-to-dms-mobile-chat-footer-redesign-passkeys-enabled-by-default-and-more/293093
Vendor Advisory
Release Notes