CVE-2024-39320

Опубликовано: 30 июл. 2024

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.

Ссылки

https://github.com/discourse/discourse/commit/188cb58daa833839c54c266ce22db150a3f3a210
Patch
https://github.com/discourse/discourse/commit/76f06f6b1491db6bd09a4017d2c5591431b3b16e
Patch
https://github.com/discourse/discourse/security/advisories/GHSA-4p82-xh38-gq4p
Vendor Advisory
https://github.com/discourse/discourse/commit/188cb58daa833839c54c266ce22db150a3f3a210
Patch
https://github.com/discourse/discourse/commit/76f06f6b1491db6bd09a4017d2c5591431b3b16e
Patch
https://github.com/discourse/discourse/security/advisories/GHSA-4p82-xh38-gq4p
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*

Версия до 3.2.5 (исключая)

cpe:2.3:a:discourse:discourse:3.3.0:beta1:*:*:beta:*:*:*

cpe:2.3:a:discourse:discourse:3.3.0:beta2:*:*:beta:*:*:*

cpe:2.3:a:discourse:discourse:3.3.0:beta3:*:*:beta:*:*:*

cpe:2.3:a:discourse:discourse:3.3.0:beta4:*:*:beta:*:*:*

EPSS

Процентиль: 75%

0.0087

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-74

CWE-1021