Acceptance of Extraneous Untrusted Data With Trusted Data in Discourse - CVE-2024-47773

 

Acceptance of Extraneous Untrusted Data With Trusted Data in Discourse - CVE-2024-47773

Published: October 8, 2024 / Updated: July 1, 2026


Vulnerability identifier: #VU136099
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-47773
CWE-ID: CWE-349
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote attacker to poison the anonymous cache and modify content served to anonymous visitors.

The vulnerability exists due to improper cache handling in the anonymous cache mechanism when processing XHR requests. A remote attacker can make several XHR requests to poison the anonymous cache and modify content served to anonymous visitors.

This issue only affects anonymous visitors of the site.


How to mitigate CVE-2024-47773

Install security update from vendor's website.

Sources