Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3.
References
Configurations
Configuration 1 (hide)
|
History
11 Sep 2024, 13:52
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
First Time |
Discourse
Discourse discourse |
|
References | () https://github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4ea60fd - Patch | |
References | () https://github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374b6619d2 - Patch | |
References | () https://github.com/discourse/discourse/security/advisories/GHSA-cx83-5p6x-9qh9 - Vendor Advisory | |
CPE | cpe:2.3:a:discourse:discourse:3.3.0:beta1:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:* cpe:2.3:a:discourse:discourse:3.3.0:beta2:*:*:beta:*:*:* |
31 Jul 2024, 12:57
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
30 Jul 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-30 15:15
Updated : 2024-09-11 13:52
NVD link : CVE-2024-37165
Mitre link : CVE-2024-37165
CVE.ORG link : CVE-2024-37165
JSON object : View
Products Affected
discourse
- discourse
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')