CVE-2024-35234

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta tags. This issue only affects sites with Content Security Polic (CSP) disabled. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. As a workaround, ensure CSP is enabled on the forum.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*
cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:3.3.0:beta1:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:3.3.0:beta2:*:*:beta:*:*:*

History

21 Nov 2024, 09:19

Type Values Removed Values Added
References () https://github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4ea60fd - Patch () https://github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4ea60fd - Patch
References () https://github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374b6619d2 - Patch () https://github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374b6619d2 - Patch
References () https://github.com/discourse/discourse/security/advisories/GHSA-5chg-hm8c-wc58 - Third Party Advisory () https://github.com/discourse/discourse/security/advisories/GHSA-5chg-hm8c-wc58 - Third Party Advisory
CVSS v2 : unknown
v3 : 6.1
v2 : unknown
v3 : 4.2

18 Sep 2024, 14:47

Type Values Removed Values Added
References () https://github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4ea60fd - () https://github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4ea60fd - Patch
References () https://github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374b6619d2 - () https://github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374b6619d2 - Patch
References () https://github.com/discourse/discourse/security/advisories/GHSA-5chg-hm8c-wc58 - () https://github.com/discourse/discourse/security/advisories/GHSA-5chg-hm8c-wc58 - Third Party Advisory
CPE cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*
cpe:2.3:a:discourse:discourse:3.3.0:beta1:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:3.3.0:beta2:*:*:beta:*:*:*
First Time Discourse
Discourse discourse
CVSS v2 : unknown
v3 : 4.2
v2 : unknown
v3 : 6.1

03 Jul 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-03 19:15

Updated : 2024-11-21 09:19


NVD link : CVE-2024-35234

Mitre link : CVE-2024-35234

CVE.ORG link : CVE-2024-35234


JSON object : View

Products Affected

discourse

  • discourse
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')