What is the severity of CVE-2021-32764?

CVE-2021-32764 is classified as a medium severity vulnerability due to its potential for XSS attacks.

How do I fix CVE-2021-32764?

To fix CVE-2021-32764, upgrade to Discourse version 2.8.0 or later, or ensure that the default Content Security Policy is enabled.

What versions are affected by CVE-2021-32764?

CVE-2021-32764 affects Discourse versions 2.7.5 and prior, as well as 2.8.0-beta1.

What types of attacks are possible with CVE-2021-32764?

CVE-2021-32764 can lead to XSS attacks, allowing an attacker to execute scripts in the context of a user's session.

Is my site vulnerable if I haven't modified the Content Security Policy for CVE-2021-32764?

Your site is not vulnerable to CVE-2021-32764 if you have not modified or disabled Discourse's default Content Security Policy.

Vulnerability/
CVE-2021-32764

high

8.1

CWE

15/7/2021

3/8/2024

CVE-2021-32764: YouTube Onebox susceptible to XSS

First published: Thu Jul 15 2021(Updated: )

Discourse is an open-source discussion platform. In Discourse versions 2.7.5 and prior, parsing and rendering of YouTube Oneboxes can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy. The issue is patched in `stable` version 2.7.6, `beta` version 2.8.0.beta3, and `tests-passed` version 2.8.0.beta3. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Discourse	<=2.7.5
Discourse	=2.8.0-beta1

Never miss a vulnerability like this again

Reference Links

https://github.com/discourse/discourse/security/advisories/GHSA-9x4c-29xg-56hw

Frequently Asked Questions

What is the severity of CVE-2021-32764?
CVE-2021-32764 is classified as a medium severity vulnerability due to its potential for XSS attacks.
How do I fix CVE-2021-32764?
To fix CVE-2021-32764, upgrade to Discourse version 2.8.0 or later, or ensure that the default Content Security Policy is enabled.
What versions are affected by CVE-2021-32764?
CVE-2021-32764 affects Discourse versions 2.7.5 and prior, as well as 2.8.0-beta1.
What types of attacks are possible with CVE-2021-32764?
CVE-2021-32764 can lead to XSS attacks, allowing an attacker to execute scripts in the context of a user's session.
Is my site vulnerable if I haven't modified the Content Security Policy for CVE-2021-32764?
Your site is not vulnerable to CVE-2021-32764 if you have not modified or disabled Discourse's default Content Security Policy.

agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/severity
agent/title
agent/references
agent/last-modified-date
agent/author
agent/weakness
agent/description
agent/first-publish-date
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/discourse
canonical/discourse
version/discourse/2.7.5
version/discourse/2.8.0-beta1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.