CVE-2024-53266: Cross-site Scripting (XSS) via topic titles when CSP disabled in Discourse
First published: Tue Feb 04 2025(Updated: )
Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Discourse Discourse |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-53266?
CVE-2024-53266 is classified as a medium severity vulnerability.
How do I fix CVE-2024-53266?
To fix CVE-2024-53266, update to the latest version of Discourse core.
Which versions of Discourse are affected by CVE-2024-53266?
CVE-2024-53266 affects certain combinations of plugins in versions of Discourse where Content Security Policy (CSP) is disabled.
What type of vulnerability is CVE-2024-53266?
CVE-2024-53266 is an XSS (Cross-Site Scripting) vulnerability.
Who is at risk from CVE-2024-53266?
Users of Discourse with specific plugin combinations and CSP disabled are at risk from CVE-2024-53266.
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/severity
- agent/source
- agent/last-modified-date
- agent/author
- agent/tags
- agent/event
- vendor/discourse
- canonical/discourse discourse