PT-2024-27349 · Discourse · Discourse
0Xmokusou
·
Published
2024-07-30
·
Updated
2024-09-11
·
CVE-2024-37165
CVSS v3.1
6.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 3.2.3
Discourse versions prior to 3.3.0.beta3
Description
The issue arises from improperly sanitized Onebox data, which could lead to an XSS vulnerability in certain situations. This vulnerability only affects Discourse instances with the default Content Security Policy disabled.
Recommendations
For versions prior to 3.2.3, update to version 3.2.3 or later to resolve the issue.
For versions prior to 3.3.0.beta3, update to version 3.3.0.beta3 or later to resolve the issue.
As a temporary workaround, consider enabling the default Content Security Policy to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse