CVE-2024-23834 — Discourse improperly sanitized user input leads to XSS

描述

Discourse is an open-source discussion platform. Improperly sanitized user input could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. The vulnerability is patched in 3.1.5 and 3.2.0.beta5. As a workaround, ensure Content Security Policy is enabled and does not include `unsafe-inline`.

如何修補 CVE-2024-23834

要修補 CVE-2024-23834,請將受影響套件升級到下列已修補版本。

—升級至 3.2.0 或更新版本

CVE-2024-23834 正在被利用嗎?

低 — EPSS 為 0.5%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 3.2.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

參考連結(5)

WEBgithub.com/discourse/discourse/commit/568d704a94c528b7c2cb0f3512a7b7b606bc3000
WEBgithub.com/discourse/discourse/security/advisories/GHSA-rj3g-8q6p-63pc
WEBmeta.discourse.org/t/3-1-5-security-and-bug-fix-release/293094
WEBmeta.discourse.org