Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta tags. This issue only affects sites with Content Security Polic (CSP) disabled. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. As a workaround, ensure CSP is enabled on the forum.
References
Configurations
Configuration 1 (hide)
|
History
18 Sep 2024, 14:47
Type | Values Removed | Values Added |
---|---|---|
First Time |
Discourse
Discourse discourse |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
CPE | cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.3.0:beta1:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.3.0:beta2:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:* |
|
References | () https://github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4ea60fd - Patch | |
References | () https://github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374b6619d2 - Patch | |
References | () https://github.com/discourse/discourse/security/advisories/GHSA-5chg-hm8c-wc58 - Third Party Advisory |
05 Jul 2024, 12:55
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
03 Jul 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-03 19:15
Updated : 2024-09-18 14:47
NVD link : CVE-2024-35234
Mitre link : CVE-2024-35234
CVE.ORG link : CVE-2024-35234
JSON object : View
Products Affected
discourse
- discourse
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')