CVE-2023-47119
10.11.2023, 15:15
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| discourse | discourse | 𝑥 < 3.1.3 |
| discourse | discourse | 𝑥 < 3.2.0 |
| discourse | discourse | 3.2.0:beta1 |
| discourse | discourse | 3.2.0:beta2 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| discourse | discourse | 𝑥 < 3.1.3 | ADP |
| discourse | discourse | 3.2.0.beta0 ≤ 𝑥 < 3.2.0.beta3 | ADP |
Common Weakness Enumeration
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
References