CVE-2024-37165 — Discourse has an XSS via Onebox system

Description

Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3.

How to fix CVE-2024-37165

To remediate CVE-2024-37165, upgrade the affected package to a fixed version below.

—upgrade to 3.2.3 or later

Is CVE-2024-37165 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.2.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

WEBgithub.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4ea60fd
WEBgithub.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374b6619d2
WEBgithub.com/discourse/discourse/security/advisories/GHSA-cx83-5p6x-9qh9
WEBnvd.nist.gov/vuln/detail/CVE-2024-37165