CVE-2024-43408 MEDIUM

CVE-2024-43408: Discourse Placeholder Forms has a XSS stopped by CSP

Vendor Discourse
Product discourse-placeholder-theme-component
Weakness CWE-79 · XSS
Published August 20, 2024
Last update September 3, 2024

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Discourse Placeholder Forms will let you build dynamic documentation. Unsanitized and stored user input was injected in the html of the post. The vulnerability is fixed in commit a62f711d5600e4e5d86f342d52932cb6221672e7.

Key dates

02Disclosure timeline

August 20, 2024 CVE published
September 3, 2024 Record updated