Discourse Fixes XSS Vulnerability in 3.2.3 and 3.3.0.beta3
CVE-2024-37165
6.1MEDIUM
Key Information
- Vendor
- Discourse
- Status
- Discourse
- Vendor
- CVE Published:
- 30 July 2024
Summary
Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3.
Affected Version(s)
discourse < 3.2.3
discourse < 3.3.0.beta1, 3.3.0.beta3
CVSS V3.1
Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published.
Vulnerability Reserved.
Collectors
NVD DatabaseMitre Database