CVE-2024-35234

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.2.3 on the stable branch Discourse versions prior to 3.3.0.beta3 on the tests-passed branch

Description The issue allows an attacker to execute arbitrary JavaScript on users' browsers by posting a specific URL containing maliciously crafted meta tags. This only affects sites with Content Security Policy (CSP) disabled.

Recommendations For versions prior to 3.2.3 on the stable branch, update to version 3.2.3 or later. For versions prior to 3.3.0.beta3 on the tests-passed branch, update to version 3.3.0.beta3 or later. As a temporary workaround, ensure Content Security Policy (CSP) is enabled on the forum.