Unrated severityNVD Advisory· Published Jul 30, 2024· Updated Aug 2, 2024

Discourse allows iframe injection though default site setting

CVE-2024-39320

Description

Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.

Affected products

Discourse (software)/Discoursev5
Range: < 3.2.5

Patches

9ed203ed8cdc

https://github.com/discourse/discoursevia osv

f4cbf025b5ed

https://github.com/discourse/discoursevia osv

188cb58daa83

https://github.com/discourse/discoursevia osv

commit

76f06f6b1491

https://github.com/discourse/discoursevia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/discourse/discourse/commit/188cb58daa833839c54c266ce22db150a3f3a210mitrex_refsource_MISC
github.com/discourse/discourse/commit/76f06f6b1491db6bd09a4017d2c5591431b3b16emitrex_refsource_MISC
github.com/discourse/discourse/security/advisories/GHSA-4p82-xh38-gq4pmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000