Cross-Site Scripting Vulnerability in Discourse Community Platform
CVE-2024-56328
Summary
A vulnerability exists within the Discourse platform that allows an attacker to execute arbitrary JavaScript in the browser of unsuspecting users through maliciously crafted Onebox URLs. This vulnerability specifically impacts instances where Content Security Policy (CSP) is disabled. It is crucial for users to upgrade to the latest version of Discourse to mitigate this security risk. For those who cannot upgrade immediately, enabling CSP, disabling inline Oneboxes globally, or allowing specific domains for Oneboxing are recommended mitigation strategies.
Affected Version(s)
discourse stable: <= 3.3.3 <= stable: 3.3.3
discourse beta: <= 3.4.0.beta3 <= beta: 3.4.0.beta3
discourse tests-passed: <= 3.4.0.beta3 <= tests-passed: 3.4.0.beta3
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved