CVE-2023-29196

Name of the Vulnerable Software and Affected Versions Discourse versions prior to the latest tests-passed, beta and stable branches

Description This issue affects Discourse, an open source platform for community discussion. It is not exploitable on the default install of Discourse, requiring a custom feature to be enabled. The attacker's payload must also pass the Content Security Policy (CSP) to be executed. If successful, it could result in session hijacking for users who view the attacker's post.

Recommendations For versions prior to the latest tests-passed, beta and stable branches, upgrade to the latest version. For users unable to upgrade, enable and/or restore the site's CSP to the default one provided with Discourse and remove any embed-able hosts configured.