Unrated severityNVD Advisory· Published Feb 4, 2025· Updated Feb 4, 2025
Cross-site Scripting (XSS) via topic titles when CSP disabled in Discourse
CVE-2024-53266
Description
Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)range: stable: < 3.3.3
Patches
Vulnerability mechanics
References
1- github.com/discourse/discourse/security/advisories/GHSA-hw4j-4hg7-22h2mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.