CVE-2024-23834 MEDIUM

CVE-2024-23834: Discourse improperly sanitized user input leads to XSS

Vendor Discourse
Product discourse
Weakness CWE-79 · XSS
Published January 30, 2024
Last update October 17, 2024
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Discourse is an open-source discussion platform. Improperly sanitized user input could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. The vulnerability is patched in 3.1.5 and 3.2.0.beta5. As a workaround, ensure Content Security Policy is enabled and does not include `unsafe-inline`.

Key dates

02Disclosure timeline

January 30, 2024 CVE published
October 17, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-20836 CVE-2025-22282 WordPress ez Form Calculator Premouium plugin <= 2.14.1.2 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-49947 WordPress WooCommerce Registration Fields Plugin - Custom Signup Fields plugin <= 3.2.3 - Cross Site Scripting (XSS) vulnerability CVE-2026-5262 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab CVE-2025-14552 MediaPress <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode