Unrated severityNVD Advisory· Published Nov 10, 2023· Updated Sep 3, 2024

HTML injection in oneboxed links

CVE-2023-47119

Description

Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the stable branch and version 3.2.0.beta3 of the beta and tests-passed branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched in version 3.1.3 of the stable branch and version 3.2.0.beta3 of the beta and tests-passed branches. There are no known workarounds.

Affected products

Discourse (software)/Discoursev5
Range: < 3.1.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/commit/628b293ff53fb617b3464dd27268aec84388cc09mitrex_refsource_MISC
github.com/discourse/discourse/commit/d78357917c6a917a8a27af68756228e89c69321cmitrex_refsource_MISC
github.com/discourse/discourse/security/advisories/GHSA-j95w-5hvx-jp5wmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.011
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000