Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-47772

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of Discourse. All users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum. Users who do upgrade should also consider enabling a CSP as well as a proactive measure.

Published

2024-10-07T21:15:18.383

Last Modified

2025-09-25T20:27:29.813

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	discourse	discourse	< 3.3.2	Yes
Application	discourse	discourse	< 3.4.0	Yes
Application	discourse	discourse	3.4.0	Yes

References

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Mitigation, Third Party Advisory ([email protected])
https://github.com/discourse/discourse/security/advisories/GHSA-67mh-xhmf-c56h Vendor Advisory ([email protected])