CVE-2023-30538

Name of the Vulnerable Software and Affected Versions Discourse versions prior to the latest stable and tests-passed versions

Description The issue arises from the improper sanitization of SVG files, allowing an attacker to execute arbitrary JavaScript on users' browsers by uploading a crafted SVG file. This can lead to the execution of malicious code.

Recommendations For versions prior to the latest stable and tests-passed versions, upgrade to the latest version. As a temporary workaround, consider enabling CDN handling of uploads and ensure the CDN sanitizes SVG files. Alternatively, disable SVG file uploads by ensuring that the authorized extensions site setting does not include svg, or reset that setting to the default.