CVE-2024-23834
6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
0.001 Low
EPSS
Percentile
21.0%
Discourse is an open-source discussion platform. Improperly sanitized user input could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. The vulnerability is patched in 3.1.5 and 3.2.0.beta5. As a workaround, ensure Content Security Policy is enabled and does not include unsafe-inline.
Affected configurations
CNA Affected
[
{
"vendor": "discourse",
"product": "discourse",
"versions": [
{
"version": "< 3.1.5",
"status": "affected"
},
{
"version": ">= 3.2.0.beta1, < 3.2.0.beta5",
"status": "affected"
}
]
}
]References
github.com/discourse/discourse/commit/568d704a94c528b7c2cb0f3512a7b7b606bc3000
github.com/discourse/discourse/security/advisories/GHSA-rj3g-8q6p-63pc
meta.discourse.org/t/3-1-5-security-and-bug-fix-release/293094
meta.discourse.org/t/3-2-0-beta5-add-groups-to-dms-mobile-chat-footer-redesign-passkeys-enabled-by-default-and-more/293093
Related
6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
0.001 Low
EPSS
Percentile
21.0%