CVE-2023-37467

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.1.0.beta7

Description A Content Security Policy (CSP) nonce reuse issue was discovered that could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous users. Although there are no known XSS vectors at the moment, this issue would enable an XSS attack to bypass CSP and execute successfully if one were discovered. This issue does not affect logged-in users.

Recommendations For versions prior to 3.1.0.beta7, update to version 3.1.0.beta7 or later to resolve the issue. As a temporary workaround, consider disabling Google Tag Manager by unsetting the gtm container id setting to prevent the vulnerability.