CVE-2024-47772

Published: Oct 7, 2024Modified: Sep 25, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of Discourse. All users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum. Users who do upgrade should also consider enabling a CSP as well as a proactive measure.

Affected (3)

Products: Discourse: Discourse

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	Before 3.4.0
Discourse Discourse	Before 3.3.2
Discourse Discourse	Version 3.4.0 beta1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Source: security-advisories@github.com

MitigationThird Party Advisory

https://github.com/discourse/discourse/security/advisories/GHSA-67mh-xhmf-c56h

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.