CVE-2024-23834 — Discourse improperly sanitized user input leads to XSS

Description

Discourse is an open-source discussion platform. Improperly sanitized user input could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. The vulnerability is patched in 3.1.5 and 3.2.0.beta5. As a workaround, ensure Content Security Policy is enabled and does not include `unsafe-inline`.

How to fix CVE-2024-23834

To remediate CVE-2024-23834, upgrade the affected package to a fixed version below.

—upgrade to 3.2.0 or later

Is CVE-2024-23834 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

WEBgithub.com/discourse/discourse/commit/568d704a94c528b7c2cb0f3512a7b7b606bc3000
WEBgithub.com/discourse/discourse/security/advisories/GHSA-rj3g-8q6p-63pc
WEBmeta.discourse.org/t/3-1-5-security-and-bug-fix-release/293094
WEB