CVE-2023-36473 MEDIUM

CVE-2023-36473: CSP nonce reuse vulnerability in Discourse

Vendor Discourse
Product discourse
Weakness CWE-79 · XSS
Published July 13, 2023
Last update October 21, 2024

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Discourse is an open source discussion platform. A CSP (Content Security Policy) nonce reuse vulnerability could allow XSS attacks to bypass CSP protection. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to completely bypass CSP. The vulnerability is patched in the latest tests-passed, beta and stable branches.

Key dates

02Disclosure timeline

July 13, 2023 CVE published
October 21, 2024 Record updated