CVE-2024-53266— Cross-site Scripting (XSS) via topic titles when CSP disabled in Discourse

Cross-site Scripting (XSS) via topic titles when CSP disabled in Discourse

Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Discourse 跨站脚本漏洞

Discourse是Discourse开源的一套开源的社区讨论平台。该平台包括社区、电子邮件和聊天室等功能。 Discourse存在跨站脚本漏洞，该漏洞源于在某些插件组合下且CSP被禁用时，用户个人资料页面中的活动流可能易受到跨站脚本攻击。

N/A

N/A