CVE-2024-35234 Information

Jul 04, 2024 cve

Description

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the stable branch and version 3.3.0.beta3 on the tests-passed branch an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta tags. This issue only affects sites with Content Security Polic (CSP) disabled. The problem has been patched in version 3.2.3 on the stable branch and version 3.3.0.beta3 on the tests-passed branch. As a workaround ensure CSP is enabled on the forum.

Reference

https://github.com/discourse/discourse/security/advisories/GHSA-5chg-hm8c-wc58 https://github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4ea60fd https://github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374b6619d2

Share on: