CVE-2023-25172

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.0.1 of the stable branch Discourse versions prior to 3.1.0.beta2 of the beta and tests-passed branches

Description Discourse is an open-source discussion platform. A maliciously crafted URL can be included in a user's full name field to carry out cross-site scripting attacks on sites with a disabled or overly permissive Content Security Policy (CSP). Discourse's default CSP prevents this issue.

Recommendations For versions prior to 3.0.1 of the stable branch, update to version 3.0.1 or later. For versions prior to 3.1.0.beta2 of the beta and tests-passed branches, update to version 3.1.0.beta2 or later. As a temporary workaround, enable and/or restore your site's CSP to the default one provided with Discourse.