First published: Fri Nov 10 2023(Updated: )
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
<3.1.3 | ||
<3.2.0 | ||
=3.2.0-beta1 | ||
=3.2.0-beta2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2023-47119.
The severity of CVE-2023-47119 is medium.
Versions up to 3.1.3 of the stable branch and up to 3.2.0.beta3 of the beta and tests-passed branches are affected by CVE-2023-47119.
Update to version 3.1.3 of the stable branch or version 3.2.0.beta3 of the beta and tests-passed branches to fix CVE-2023-47119.
Yes, you can find the references for CVE-2023-47119 at the following links: [GitHub Advisory](https://github.com/discourse/discourse/security/advisories/GHSA-j95w-5hvx-jp5w), [Commit 1](https://github.com/discourse/discourse/commit/628b293ff53fb617b3464dd27268aec84388cc09), [Commit 2](https://github.com/discourse/discourse/commit/d78357917c6a917a8a27af68756228e89c69321c).