CVE-2024-37165

EPSS 0.99%
Veröffentlicht 30.07.2024 15:15:11
Zuletzt bearbeitet 21.11.2024 09:23:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Discourse ≫ Discourse SwEditionstable Version < 3.2.3

Discourse ≫ Discourse Version3.3.0 Updatebeta1 SwEditionbeta

Discourse ≫ Discourse Version3.3.0 Updatebeta2 SwEditionbeta

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.99%	0.764

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4ea60fd

Patch

https://github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374b6619d2

Patch

https://github.com/discourse/discourse/security/advisories/GHSA-cx83-5p6x-9qh9

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-37165

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-37165

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-37165

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-37165