CVE-2024-54142
Cross-site Scripting via Discourse-ai SharedAiConversation onebox in Discourse
Description
Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation. This issue has been addressed in commit `92f122c`. Users are advised to update. Users unable to update may remove all groups from `ai bot public sharing allowed groups` site setting.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:LPrivileges RequiredUI:RUser InteractionS:CScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2024-54142 and every CVE in our database. Create a free account — no credit card required.
Create Free Account