Use of insufficiently random values in Discourse - CVE-2023-36473
Published: July 11, 2023 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to bypass CSP protection and execute cross-site scripting attacks.
The vulnerability exists due to improper reuse of a CSP nonce in Content Security Policy handling when processing content that relies on the nonce for script authorization. A remote user can leverage a discovered cross-site scripting vector to bypass CSP protection and execute cross-site scripting attacks.
There are no known cross-site scripting vectors at the moment, but any such vector could use this issue to completely bypass CSP.