{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53266", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-19T20:08:14.481Z", "datePublished": "2025-02-04T21:18:19.591Z", "dateUpdated": "2025-02-04T21:40:25.211Z"}, "containers": {"cna": {"title": "Cross-site Scripting (XSS) via topic titles when CSP disabled in Discourse", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-hw4j-4hg7-22h2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-hw4j-4hg7-22h2"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": "stable: < 3.3.3", "status": "affected"}, {"version": "tests-passed: < 3.4.0.beta4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-04T21:18:19.591Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled."}], "source": {"advisory": "GHSA-hw4j-4hg7-22h2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-04T21:40:15.684528Z", "id": "CVE-2024-53266", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-04T21:40:25.211Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-53266", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-04T21:40:15.684528Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-04T21:40:20.746Z"}}], "cna": {"title": "Cross-site Scripting (XSS) via topic titles when CSP disabled in Discourse", "source": {"advisory": "GHSA-hw4j-4hg7-22h2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": "stable: < 3.3.3"}, {"status": "affected", "version": "tests-passed: < 3.4.0.beta4"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-hw4j-4hg7-22h2", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-hw4j-4hg7-22h2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-04T21:18:19.591Z"}}}, "cveMetadata": {"cveId": "CVE-2024-53266", "state": "PUBLISHED", "dateUpdated": "2025-02-04T21:40:25.211Z", "dateReserved": "2024-11-19T20:08:14.481Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-04T21:18:19.591Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open source platform for community discussion. In affected versions with some combinations of plugins, and with CSP disabled, activity streams in the user's profile page may be vulnerable to XSS. This has been patched in the latest version of Discourse core. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled."}], "id": "CVE-2024-53266", "lastModified": "2025-02-04T22:15:40.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-04T22:15:40.347", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-hw4j-4hg7-22h2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}