9
CVE-2024-54142
- EPSS 0.41%
- Veröffentlicht 14.01.2025 23:15:08
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Cross-site Scripting via Discourse-ai SharedAiConversation onebox in Discourse
Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation. This issue has been addressed in commit `92f122c`. Users are advised to update. Users unable to update may remove all groups from `ai bot public sharing allowed groups` site setting.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerdiscourse
≫
Produkt
discourse-ai
Version
< 92f122c
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.41% | 0.321 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 9 | 2.3 | 6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/discourse/discourse-ai/commit/92f122c54d9d7ead9223a056270bff5b4c42c73f
https://github.com/discourse/discourse-ai/security/advisories/GHSA-94c2-qr2h-88jv