Acceptance of Extraneous Untrusted Data With Trusted Data in Discourse - CVE-2024-47773
Published: October 8, 2024 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to poison the anonymous cache and modify content served to anonymous visitors.
The vulnerability exists due to improper cache handling in the anonymous cache mechanism when processing XHR requests. A remote attacker can make several XHR requests to poison the anonymous cache and modify content served to anonymous visitors.
This issue only affects anonymous visitors of the site.