CVE-2024-56328

Name of the Vulnerable Software and Affected Versions Discourse (affected versions not specified)

Description The issue allows an attacker to execute arbitrary JavaScript code in users' browsers by posting a maliciously crafted Onebox URL. This problem only affects sites with Content Security Policy (CSP) disabled. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. The technical details about exploitation include the use of a malicious Onebox URL to execute arbitrary JavaScript code.

Recommendations For all affected versions, update to the latest version of Discourse to resolve the issue. As a temporary workaround, consider enabling CSP, disabling inline Oneboxes globally, or allowing specific domains for Oneboxing until the issue is resolved.