CVE-2023-37467

描述

Discourse is an open source discussion platform. Prior to version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a CSP (Content Security Policy) nonce reuse vulnerability was discovered could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous (i.e. unauthenticated) users. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to bypass CSP and execute successfully. This vulnerability isn't applicable to logged-in users. Version 3.1.0.beta7 contains a patch. The stable branch doesn't have this vulnerability. A workaround to prevent the vulnerability is to disable Google Tag Manager, i.e., unset the `gtm container id` setting.

受影響套件(1)

• Bitnami/discourse>= 1.1.0-beta1, <= 1.1.0-beta1, >= 1.1.0-beta2, <= 1.1.0-beta2, >= 1.1.0-beta3, <= 1.1.0-beta3, >= 1.1.0-beta4, <= 1.1.0-beta4, >= 1.1.0-beta5, <= 1.1.0-beta5, >= 1.1.0-beta6, <= 1.1.0-beta6, >= 1.1.0-beta6b, <= 1.1.0-beta6b, >= 1.1.0-beta7, <= 1.1.0-beta7, >= 1.1.0-beta8, <= 1.1.0-beta8, >= 1.2.0-beta1, <= 1.2.0-beta1, >= 1.2.0-beta2, <= 1.2.0-beta2, >= 1.2.0-beta3, <= 1.2.0-beta3, >= 1.2.0-beta4, <= 1.2.0-beta4, >= 1.2.0-beta5, <= 1.2.0-beta5, >= 1.2.0-beta6, <= 1.2.0-beta6, >= 1.2.0-beta7, <= 1.2.0-beta7, >= 1.2.0-beta8, <= 1.2.0-beta8, >= 1.2.0-beta9, <= 1.2.0-beta9, >= 1.3.0-beta1, <= 1.3.0-beta1, >= 1.3.0-beta10, <= 1.3.0-beta10, >= 1.3.0-beta11, <= 1.3.0-beta11, >= 1.3.0-beta2, <= 1.3.0-beta2, >= 1.3.0-beta3, <= 1.3.0-beta3, >= 1.3.0-beta4, <= 1.3.0-beta4, >= 1.3.0-beta5, <= 1.3.0-beta5, >= 1.3.0-beta6, <= 1.3.0-beta6, >= 1.3.0-beta7, <= 1.3.0-beta7, >= 1.3.0-beta8, <= 1.3.0-beta8, >= 1.3.0-beta9, <= 1.3.0-beta9, >= 1.4.0-beta1, <= 1.4.0-beta1, >= 1.4.0-beta10, <= 1.4.0-beta10, >= 1.4.0-beta11, <= 1.4.0-beta11, >= 1.4.0-beta12, <= 1.4.0-beta12, >= 1.4.0-beta2, <= 1.4.0-beta2, >= 1.4.0-beta3, <= 1.4.0-beta3, >= 1.4.0-beta4, <= 1.4.0-beta4, >= 1.4.0-beta5, <= 1.4.0-beta5, >= 1.4.0-beta6, <= 1.4.0-beta6, >= 1.4.0-beta7, <= 1.4.0-beta7, >= 1.4.0-beta8, <= 1.4.0-beta8, >= 1.4.0-beta9, <= 1.4.0-beta9, >= 1.5.0-beta1, <= 1.5.0-beta1, >= 1.5.0-beta10, <= 1.5.0-beta10, >= 1.5.0-beta11, <= 1.5.0-beta11, >= 1.5.0-beta12, <= 1.5.0-beta12, >= 1.5.0-beta13, <= 1.5.0-beta13, >= 1.5.0-beta13b, <= 1.5.0-beta13b, >= 1.5.0-beta14, <= 1.5.0-beta14, >= 1.5.0-beta2, <= 1.5.0-beta2, >= 1.5.0-beta3, <= 1.5.0-beta3, >= 1.5.0-beta4, <= 1.5.0-beta4, >= 1.5.0-beta5, <= 1.5.0-beta5, >= 1.5.0-beta6, <= 1.5.0-beta6, >= 1.5.0-beta7, <= 1.5.0-beta7, >= 1.5.0-beta8, <= 1.5.0-beta8, >= 1.5.0-beta9, <= 1.5.0-beta9, >= 1.6.0-beta1, <= 1.6.0-beta1, >= 1.6.0-beta10, <= 1.6.0-beta10, >= 1.6.0-beta11, <= 1.6.0-beta11, >= 1.6.0-beta12, <= 1.6.0-beta12, >= 1.6.0-beta2, <= 1.6.0-beta2, >= 1.6.0-beta3, <= 1.6.0-beta3, >= 1.6.0-beta4, <= 1.6.0-beta4, >= 1.6.0-beta5, <= 1.6.0-beta5, >= 1.6.0-beta6, <= 1.6.0-beta6, >= 1.6.0-beta7, <= 1.6.0-beta7, >= 1.6.0-beta8, <= 1.6.0-beta8, >= 1.6.0-beta9, <= 1.6.0-beta9, >= 1.7.0-beta1, <= 1.7.0-beta1, >= 1.7.0-beta10, <= 1.7.0-beta10, >= 1.7.0-beta11, <= 1.7.0-beta11, >= 1.7.0-beta2, <= 1.7.0-beta2, >= 1.7.0-beta3, <= 1.7.0-beta3, >= 1.7.0-beta4, <= 1.7.0-beta4, >= 1.7.0-beta5, <= 1.7.0-beta5, >= 1.7.0-beta6, <= 1.7.0-beta6, >= 1.7.0-beta7, <= 1.7.0-beta7, >= 1.7.0-beta8, <= 1.7.0-beta8, >= 1.7.0-beta9, <= 1.7.0-beta9, >= 1.8.0-beta1, <= 1.8.0-beta1, >= 1.8.0-beta10, <= 1.8.0-beta10, >= 1.8.0-beta11, <= 1.8.0-beta11, >= 1.8.0-beta12, <= 1.8.0-beta12, >= 1.8.0-beta13, <= 1.8.0-beta13, >= 1.8.0-beta2, <= 1.8.0-beta2, >= 1.8.0-beta3, <= 1.8.0-beta3, >= 1.8.0-beta4, <= 1.8.0-beta4, >= 1.8.0-beta5, <= 1.8.0-beta5, >= 1.8.0-beta6, <= 1.8.0-beta6, >= 1.8.0-beta7, <= 1.8.0-beta7, >= 1.8.0-beta8, <= 1.8.0-beta8, >= 1.8.0-beta9, <= 1.8.0-beta9, >= 1.9.0-beta1, <= 1.9.0-beta1, >= 1.9.0-beta10, <= 1.9.0-beta10, >= 1.9.0-beta11, <= 1.9.0-beta11, >= 1.9.0-beta12, <= 1.9.0-beta12, >= 1.9.0-beta13, <= 1.9.0-beta13, >= 1.9.0-beta14, <= 1.9.0-beta14, >= 1.9.0-beta15, <= 1.9.0-beta15, >= 1.9.0-beta16, <= 1.9.0-beta16, >= 1.9.0-beta17, <= 1.9.0-beta17, >= 1.9.0-beta2, <= 1.9.0-beta2, >= 1.9.0-beta3, <= 1.9.0-beta3, >= 1.9.0-beta4, <= 1.9.0-beta4, >= 1.9.0-beta5, <= 1.9.0-beta5, >= 1.9.0-beta6, <= 1.9.0-beta6, >= 1.9.0-beta7, <= 1.9.0-beta7, >= 1.9.0-beta8, <= 1.9.0-beta8, >= 1.9.0-beta9, <= 1.9.0-beta9, >= 2.0.0-beta1, <= 2.0.0-beta1, >= 2.0.0-beta10, <= 2.0.0-beta10, >= 2.0.0-beta2, <= 2.0.0-beta2, >= 2.0.0-beta3, <= 2.0.0-beta3, >= 2.0.0-beta4, <= 2.0.0-beta4, >= 2.0.0-beta5, <= 2.0.0-beta5, >= 2.0.0-beta6, <= 2.0.0-beta6, >= 2.0.0-beta7, <= 2.0.0-beta7, >= 2.0.0-beta8, <= 2.0.0-beta8, >= 2.0.0-beta9, <= 2.0.0-beta9, >= 2.1.0-beta1, <= 2.1.0-beta1, >= 2.1.0-beta2, <= 2.1.0-beta2, >= 2.1.0-beta3, <= 2.1.0-beta3, >= 2.1.0-beta4, <= 2.1.0-beta4, >= 2.1.0-beta5, <= 2.1.0-beta5, >= 2.1.0-beta6, <= 2.1.0-beta6, >= 2.2.0-beta1, <= 2.2.0-beta1, >= 2.2.0-beta10, <= 2.2.0-beta10, >= 2.2.0-beta2, <= 2.2.0-beta2, >= 2.2.0-beta3, <= 2.2.0-beta3, >= 2.2.0-beta4, <= 2.2.0-beta4, >= 2.2.0-beta5, <= 2.2.0-beta5, >= 2.2.0-beta6, <= 2.2.0-beta6, >= 2.2.0-beta7, <= 2.2.0-beta7, >= 2.2.0-beta8, <= 2.2.0-beta8, >= 2.2.0-beta9, <= 2.2.0-beta9, >= 2.3.0-beta1, <= 2.3.0-beta1, >= 2.3.0-beta10, <= 2.3.0-beta10, >= 2.3.0-beta11, <= 2.3.0-beta11, >= 2.3.0-beta2, <= 2.3.0-beta2, >= 2.3.0-beta3, <= 2.3.0-beta3, >= 2.3.0-beta4, <= 2.3.0-beta4, >= 2.3.0-beta5, <= 2.3.0-beta5, >= 2.3.0-beta6, <= 2.3.0-beta6, >= 2.3.0-beta7, <= 2.3.0-beta7, >= 2.3.0-beta8, <= 2.3.0-beta8, >= 2.3.0-beta9, <= 2.3.0-beta9, >= 2.4.0-beta1, <= 2.4.0-beta1, >= 2.4.0-beta10, <= 2.4.0-beta10, >= 2.4.0-beta11, <= 2.4.0-beta11, >= 2.4.0-beta2, <= 2.4.0-beta2, >= 2.4.0-beta3, <= 2.4.0-beta3, >= 2.4.0-beta4, <= 2.4.0-beta4, >= 2.4.0-beta5, <= 2.4.0-beta5, >= 2.4.0-beta6, <= 2.4.0-beta6, >= 2.4.0-beta7, <= 2.4.0-beta7, >= 2.4.0-beta8, <= 2.4.0-beta8, >= 2.4.0-beta9, <= 2.4.0-beta9, >= 2.5.0-beta1, <= 2.5.0-beta1, >= 2.5.0-beta2, <= 2.5.0-beta2, >= 2.5.0-beta3, <= 2.5.0-beta3, >= 2.5.0-beta4, <= 2.5.0-beta4, >= 2.5.0-beta5, <= 2.5.0-beta5, >= 2.5.0-beta6, <= 2.5.0-beta6, >= 2.5.0-beta7, <= 2.5.0-beta7, >= 2.6.0-beta1, <= 2.6.0-beta1, >= 2.6.0-beta2, <= 2.6.0-beta2, >= 2.6.0-beta3, <= 2.6.0-beta3, >= 2.6.0-beta4, <= 2.6.0-beta4, >= 2.6.0-beta5, <= 2.6.0-beta5, >= 2.6.0-beta6, <= 2.6.0-beta6, >= 2.7.0-beta1, <= 2.7.0-beta1, >= 2.7.0-beta2, <= 2.7.0-beta2, >= 2.7.0-beta3, <= 2.7.0-beta3, >= 2.7.0-beta4, <= 2.7.0-beta4, >= 2.7.0-beta5, <= 2.7.0-beta5, >= 2.7.0-beta6, <= 2.7.0-beta6, >= 2.7.0-beta7, <= 2.7.0-beta7, >= 2.7.0-beta8, <= 2.7.0-beta8, >= 2.7.0-beta9, <= 2.7.0-beta9, >= 2.8.0-beta1, <= 2.8.0-beta1, >= 2.8.0-beta10, <= 2.8.0-beta10, >= 2.8.0-beta11, <= 2.8.0-beta11, >= 2.8.0-beta2, <= 2.8.0-beta2, >= 2.8.0-beta3, <= 2.8.0-beta3, >= 2.8.0-beta4, <= 2.8.0-beta4, >= 2.8.0-beta5, <= 2.8.0-beta5, >= 2.8.0-beta6, <= 2.8.0-beta6, >= 2.8.0-beta7, <= 2.8.0-beta7, >= 2.8.0-beta8, <= 2.8.0-beta8, >= 2.8.0-beta9, <= 2.8.0-beta9, >= 2.9.0-beta1, <= 2.9.0-beta1, >= 2.9.0-beta10, <= 2.9.0-beta10, >= 2.9.0-beta11, <= 2.9.0-beta11, >= 2.9.0-beta12, <= 2.9.0-beta12, >= 2.9.0-beta13, <= 2.9.0-beta13, >= 2.9.0-beta14, <= 2.9.0-beta14, >= 2.9.0-beta2, <= 2.9.0-beta2, >= 2.9.0-beta3, <= 2.9.0-beta3, >= 2.9.0-beta4, <= 2.9.0-beta4, >= 2.9.0-beta5, <= 2.9.0-beta5, >= 2.9.0-beta6, <= 2.9.0-beta6, >= 2.9.0-beta7, <= 2.9.0-beta7, >= 2.9.0-beta8, <= 2.9.0-beta8, >= 2.9.0-beta9, <= 2.9.0-beta9, >= 3.0.0-beta15, <= 3.0.0-beta15, >= 3.0.0-beta16, <= 3.0.0-beta16, >= 3.1.0-beta1, <= 3.1.0-beta1, >= 3.1.0-beta2, <= 3.1.0-beta2, >= 3.1.0-beta3, <= 3.1.0-beta3, >= 3.1.0-beta5, <= 3.1.0-beta5, >= 3.1.0-beta6, <= 3.1.0-beta6

CVSS 分數

參考連結(2)

• WEBhttps://github.com/discourse/discourse/commit/0976c8fad6970b6182e7837bf87de07709407f25
• WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-gr5h-hm62-jr3j