SB2025020536 - Multiple vulnerabilities in Discourse
Published: February 5, 2025 Updated: July 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2024-53266)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within topic titles when CSP disabled. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Improper Preservation of Permissions (CVE-ID: CVE-2024-53994)
CWE-ID: CWE-281 - Improper preservation of permissions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper preservation of permissions. A remote user with disable chat in preferences can still be reachable in some cases.
3) Input validation error (CVE-ID: CVE-2024-53851)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in inline oneboxes. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
4) Improper access control (CVE-ID: CVE-2024-53991)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in nginx backup file handling when processing a well crafted request for a backup file. A remote attacker can send a specially crafted request to disclose sensitive information.
Only instances configured to use FileStore::LocalStore for local storage of uploads and backups are affected, and exploitation requires knowledge of the backup file name.
5) Cross-site scripting (CVE-ID: CVE-2024-52794)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script code in a user's browser.
The vulnerability exists due to cross-site scripting in the magnific lightbox feature when handling lightbox thumbnail clicks. A remote user can craft malicious content that is triggered when a user clicks a lightbox thumbnail to execute arbitrary script code in a user's browser.
User interaction is required to click a lightbox thumbnail.
6) Improper access control (CVE-ID: CVE-2024-52589)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the Screened emails list in the admin dashboard when handling moderator access. A remote privileged user can view the Screened emails list to disclose sensitive information.
The issue can expose a user's email address even when the "moderators view emails" option is disabled.
7) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2024-49765)
CWE-ID: CWE-359 - Exposure of Private Information ('Privacy Violation')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose private personal information.
The vulnerability exists due to improper access control in other enabled login paths when discourse connect is enabled alongside local logins. A remote attacker can create an account or log in through an alternate login path to disclose private personal information.
Only sites that use discourse connect while also keeping other login methods enabled are vulnerable.
Remediation
Install update from vendor's website.
References
- https://github.com/discourse/discourse/security/advisories/GHSA-hw4j-4hg7-22h2
- https://github.com/discourse/discourse/security/advisories/GHSA-mrpw-gwj7-98r6
- https://github.com/discourse/discourse/commit/416ec83ae57924d721e6e374f4cda78bd77a4599
- https://github.com/discourse/discourse/security/advisories/GHSA-49rv-574x-wgpc
- https://github.com/discourse/discourse/security/advisories/GHSA-567m-82f6-56rv
- https://github.com/discourse/discourse/security/advisories/GHSA-m3v4-v2rp-hfm9
- https://github.com/discourse/discourse/security/advisories/GHSA-cqw6-rr3v-8fff
- https://github.com/discourse/discourse/security/advisories/GHSA-v8rf-pvgm-xxf2