CVE-2024-53266

Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-hw4j-4hg7-22h2	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse:::::stable:::*
	cpe:2.3:a:discourse:discourse:::::beta:::*
	cpe:2.3:a:discourse:discourse:3.4.0:-:::beta:::*
	cpe:2.3:a:discourse:discourse:3.4.0:beta1:::beta:::*
	cpe:2.3:a:discourse:discourse:3.4.0:beta2:::beta:::*
	cpe:2.3:a:discourse:discourse:3.4.0:beta3:::beta:::*

History

26 Aug 2025, 16:28

Type	Values Removed	Values Added
CPE		cpe:2.3:a:discourse:discourse:3.4.0:beta1:::beta:::* cpe:2.3:a:discourse:discourse:3.4.0:-:::beta:::* cpe:2.3:a:discourse:discourse:::::stable:::* cpe:2.3:a:discourse:discourse:3.4.0:beta3:::beta:::* cpe:2.3:a:discourse:discourse:3.4.0:beta2:::beta:::* cpe:2.3:a:discourse:discourse:::::beta:::*
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-hw4j-4hg7-22h2 -~~	() https://github.com/discourse/discourse/security/advisories/GHSA-hw4j-4hg7-22h2 - Third Party Advisory
Summary		(es) Discourse es una plataforma de código abierto para debates comunitarios. En las versiones afectadas con algunas combinaciones de complementos y con CSP deshabilitado, los flujos de actividad en la página de perfil del usuario pueden ser vulnerables a XSS. Esto se ha corregido en la última versión del núcleo de Discourse. Se recomienda a los usuarios que actualicen la versión. Los usuarios que no puedan actualizar la versión deben asegurarse de que CSP esté habilitado.
First Time		Discourse Discourse discourse

04 Feb 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-04 22:15

Updated : 2025-08-26 16:28

NVD link : CVE-2024-53266

Mitre link : CVE-2024-53266

CVE.ORG link : CVE-2024-53266

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.3 /10