CVE-2024-47772 — Cross-site Scripting (XSS) via chat excerpts when content security policy (CSP)

Description

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of Discourse. All users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum. Users who do upgrade should also consider enabling a CSP as well as a proactive measure.

How to fix CVE-2024-47772

To remediate CVE-2024-47772, upgrade the affected package to a fixed version below.

—upgrade to 3.3.2 or later

Is CVE-2024-47772 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (3)

WEBdeveloper.mozilla.org/en-US/docs/Web/HTTP/CSP
WEBgithub.com/discourse/discourse/security/advisories/GHSA-67mh-xhmf-c56h
WEBnvd.nist.gov/vuln/detail/CVE-2024-47772