CVE-2024-56328

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should enable CSP, disable inline Oneboxes globally, or allow specific domains for Oneboxing.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-j855-mhxj-x6vg

Configurations

No configuration.

History

04 Feb 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-04 21:15

Updated : 2025-02-04 21:15

NVD link : CVE-2024-56328

Mitre link : CVE-2024-56328

CVE.ORG link : CVE-2024-56328

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.5 /10