Skip to content

Improperly sanitized user input leads to XSS

Moderate
jomaxro published GHSA-rj3g-8q6p-63pc Jan 30, 2024

Package

Discourse (Discourse)

Affected versions

stable < 2.1.5; beta/tests-passed < 3.2.0.beta5

Patched versions

stable >= 2.1.5; beta/tests-passed >= 3.2.0.beta5

Description

Impact

Improperly sanitized user input could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy.

Patches

The problem has been resolved in the latest version of Discourse

Workarounds

Ensure Content Security Policy is enabled and does not include unsafe-inline.

Severity

Moderate
6.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVE ID

CVE-2024-23834

Weaknesses

No CWEs

Credits