CVE-2024-52794 PoC — Magnific lightbox susceptible to Cross-site Scripting in Discourse

Source

https://github.com/Beesco00/CVE-2024-52794-Discourse-Stored-XSS

Associated Vulnerability

Title:Magnific lightbox susceptible to Cross-site Scripting in Discourse (CVE-2024-52794)
Description:Discourse is an open source platform for community discussion. Users clicking on the lightbox thumbnails could be affected. This problem is patched in the latest version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Description

Stored XSS in Discourse via image filename - CVE-2024-52794

Readme

# CVE-2024-52794 – Stored Cross-Site Scripting (XSS) in Discourse

![CVE](https://img.shields.io/badge/CVE-2024--52794-critical?style=flat-square&color=red)
![Platform](https://img.shields.io/badge/Target-Discourse-blue?style=flat-square)
![Bugcrowd](https://img.shields.io/badge/Reported%20via-hackerone-orange?style=flat-square)

---

## Summary

I discovered a stored cross-site scripting (XSS) vulnerability in Discourse, an open-source forum platform. The vulnerability allows an attacker to execute arbitrary JavaScript in the victim’s browser by injecting a malicious payload into the filename of an uploaded image. This affects several user interaction vectors, including public topics, comments, and private messages.

---

## CVE Identifier

- **CVE:** [CVE-2024-52794](https://github.com/discourse/discourse/security/advisories/GHSA-m3v4-v2rp-hfm9)
- **Advisory ID:** [GHSA-m3v4-v2rp-hfm9](https://github.com/discourse/discourse/security/advisories/GHSA-m3v4-v2rp-hfm9)
- **Discovered by:** [Mohand00](https://github.com/Beesco00)
- **Reported via:** [Hackerone](https://hackerone.com/)
- **Date reported:** November 18, 2024

---

## Technical Details

When uploading an image, the filename is rendered without proper sanitization in the frontend. If the filename includes a JavaScript payload, e.g.:

```html
<script>alert(document.domain)</script>
````

...it will be executed when a user clicks the image. This applies to:

* Topics
* Comments
* Direct messages

The vulnerable logic failed to encode or strip script tags from `img` alt attributes or the surrounding markup.

---

## Impact

* Arbitrary JavaScript execution in victim context
* Full session hijacking (via `document.cookie`)
* Account compromise
* Works across multiple user inputs (persistent XSS)

---

## Affected Versions

| Channel      | Versions Affected |
| ------------ | ----------------- |
| Stable       | ≤ 3.3.2           |
| Beta         | ≤ 3.4.0.beta3     |
| Tests-passed | ≤ 3.4.0.beta3     |

---

## Patched Versions

| Channel      | Patched in Version |
| ------------ | ------------------ |
| Stable       | ≥ 3.3.3            |
| Beta         | ≥ 3.4.0.beta4      |
| Tests-passed | ≥ 3.4.0.beta4      |

The issue was addressed by properly sanitizing user-supplied filenames and escaping all dynamic content in image rendering components.

---

## Disclosure Timeline

| Date          | Event                                   |
| ------------  | --------------------------------------  |
| Nov 18, 2024  | Vulnerability reported via hackerone   |
| Dec 19, 2024  | CVE assigned: CVE-2024-52794           |
| Dec 19, 2024  | Public advisory published by Discourse |

---

## References

* [Official Advisory – GHSA-m3v4-v2rp-hfm9](https://github.com/discourse/discourse/security/advisories/GHSA-m3v4-v2rp-hfm9)
* [Discourse GitHub Repository](https://github.com/discourse/discourse)

File Snapshot


 [4.0K]  /data/pocs/e5febb2798534e3e96fcf2af02fab47a43574e30
└── [2.8K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!