Vulnerability Description
Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of Discourse. All users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum. Users who do upgrade should also consider enabling a CSP as well as a proactive measure.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 3.3.2 |
Related Weaknesses (CWE)
References
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSPMitigationThird Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-67mh-xhmf-c56hVendor Advisory
FAQ
What is CVE-2024-47772?
CVE-2024-47772 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This is...
How severe is CVE-2024-47772?
CVE-2024-47772 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-47772?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.