Cross-Site Scripting Vulnerability in Discourse by Discourse
CVE-2024-53266

4.3MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 4 February 2025

Summary

Discourse, an open-source community platform, is susceptible to a Cross-Site Scripting (XSS) vulnerability when certain plugins are used, especially if Content Security Policy (CSP) is disabled. This flaw allows potentially malicious scripts to be executed within the activity streams on users' profile pages, which could compromise user data and experience. Although a patch has been released in the latest version of Discourse core, users who are unable to upgrade are highly recommended to enable CSP to mitigate this risk.

Affected Version(s)

discourse stable: < 3.3.3 < stable: 3.3.3

discourse tests-passed: < 3.4.0.beta4 < tests-passed: 3.4.0.beta4

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 4, 2025
Vulnerability Reserved
Nov 19, 2024