CVE-2024-54142 Information

Description

Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation. This issue has been addressed in commit 92f122c. Users are advised to update. Users unable to update may remove all groups from ai bot public sharing allowed groups site setting.

Reference

https://github.com/discourse/discourse-ai/commit/92f122c54d9d7ead9223a056270bff5b4c42c73f https://github.com/discourse/discourse-ai/security/advisories/GHSA-94c2-qr2h-88jv