CVE-2024-56328

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should enable CSP, disable inline Oneboxes globally, or allow specific domains for Oneboxing.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-j855-mhxj-x6vg	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse:::::stable:::*
	cpe:2.3:a:discourse:discourse:::::beta:::*
	cpe:2.3:a:discourse:discourse:3.4.0:-:::beta:::*
	cpe:2.3:a:discourse:discourse:3.4.0:beta1:::beta:::*
	cpe:2.3:a:discourse:discourse:3.4.0:beta2:::beta:::*
	cpe:2.3:a:discourse:discourse:3.4.0:beta3:::beta:::*

History

26 Aug 2025, 16:10

Type	Values Removed	Values Added
CPE		cpe:2.3:a:discourse:discourse:::::stable:::* cpe:2.3:a:discourse:discourse:3.4.0:beta3:::beta:::* cpe:2.3:a:discourse:discourse:3.4.0:beta2:::beta:::* cpe:2.3:a:discourse:discourse:3.4.0:-:::beta:::* cpe:2.3:a:discourse:discourse:3.4.0:beta1:::beta:::* cpe:2.3:a:discourse:discourse:::::beta:::*
First Time		Discourse discourse Discourse
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-j855-mhxj-x6vg -~~	() https://github.com/discourse/discourse/security/advisories/GHSA-j855-mhxj-x6vg - Third Party Advisory
Summary		(es) Discourse es una plataforma de código abierto para debates comunitarios. Un atacante puede ejecutar código JavaScript arbitrario en los navegadores de los usuarios publicando una URL maliciosa de Onebox manipulado. Este problema solo afecta a los sitios con CSP deshabilitado. Este problema se ha corregido en la última versión de Discourse. Se recomienda a los usuarios que actualicen la versión. Los usuarios que no puedan actualizar la versión deben habilitar CSP, deshabilitar los Onebox en línea de forma global o permitir dominios específicos para Oneboxing.

04 Feb 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-04 21:15

Updated : 2025-08-26 16:10

NVD link : CVE-2024-56328

Mitre link : CVE-2024-56328

CVE.ORG link : CVE-2024-56328

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.5 /10