Discourse is an open-source discussion platform. Prior to version 3.2.3 on the stable
branch and version 3.3.0.beta3 on the tests-passed
branch, an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta tags. This issue only affects sites with Content Security Polic (CSP) disabled. The problem has been patched in version 3.2.3 on the stable
branch and version 3.3.0.beta3 on the tests-passed
branch. As a workaround, ensure CSP is enabled on the forum.
{ "cpes": [ "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*" ], "severity": "Medium" }