Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of Discourse. All users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum. Users who do upgrade should also consider enabling a CSP as well as a proactive measure.
References
Link | Resource |
---|---|
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP | Mitigation Third Party Advisory |
https://github.com/discourse/discourse/security/advisories/GHSA-67mh-xhmf-c56h | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
19 Oct 2024, 00:58
Type | Values Removed | Values Added |
---|---|---|
References | () https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP - Mitigation, Third Party Advisory | |
References | () https://github.com/discourse/discourse/security/advisories/GHSA-67mh-xhmf-c56h - Vendor Advisory | |
CPE | cpe:2.3:a:discourse:discourse:3.4.0:-:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:* cpe:2.3:a:discourse:discourse:3.4.0:beta1:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:* |
|
First Time |
Discourse
Discourse discourse |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
10 Oct 2024, 12:57
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
07 Oct 2024, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-07 21:15
Updated : 2024-10-19 00:58
NVD link : CVE-2024-47772
Mitre link : CVE-2024-47772
CVE.ORG link : CVE-2024-47772
JSON object : View
Products Affected
discourse
- discourse
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')