Vulnerability Description
Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 3.2.3 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4Patch
- https://github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374bPatch
- https://github.com/discourse/discourse/security/advisories/GHSA-cx83-5p6x-9qh9Vendor Advisory
- https://github.com/discourse/discourse/commit/26aef0c288839378b9de5819e96eac8cf4Patch
- https://github.com/discourse/discourse/commit/311b737c910cf0a69f61e1b8bc0b78374bPatch
- https://github.com/discourse/discourse/security/advisories/GHSA-cx83-5p6x-9qh9Vendor Advisory
FAQ
What is CVE-2024-37165?
CVE-2024-37165 is a vulnerability with a CVSS score of 6.3 (MEDIUM). Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects...
How severe is CVE-2024-37165?
CVE-2024-37165 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-37165?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.