Unrated severityNVD Advisory· Published Jul 30, 2024· Updated Aug 2, 2024

Discourse has an XSS via Onebox system

CVE-2024-37165

Description

Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3.

Affected products

Discourse (software)/Discoursev5
Range: < 3.2.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4ea60fdmitrex_refsource_MISC
github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374b6619d2mitrex_refsource_MISC
github.com/discourse/discourse/security/advisories/GHSA-cx83-5p6x-9qh9mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000