SB2024100716 - Multiple vulnerabilities in Discourse

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2024-47772)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within chat excerpts when CSP disabled. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Improper access control (CVE-ID: CVE-2024-45051)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper email address validation within encoded email addresses. A remote attacker can use specially crafted email address bypass domain-based restrictions and gain access to private sites, categories and/or groups.

3) Information disclosure (CVE-ID: CVE-2024-45297)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can see topics with a hidden tag if they know the label/name of that tag.

Remediation

Install update from vendor's website.

References

• https://github.com/discourse/discourse/security/advisories/GHSA-67mh-xhmf-c56h
• https://github.com/discourse/discourse/security/advisories/GHSA-2vjv-pgh4-6rmq
• https://github.com/discourse/discourse/security/advisories/GHSA-58xw-3qr3-53gp