CVE-2024-23834

Discourse improperly sanitized user input leads to XSS

Discourse is an open-source discussion platform. Improperly sanitized user input could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. The vulnerability is patched in 3.1.5 and 3.2.0.beta5. As a workaround, ensure Content Security Policy is enabled and does not include `unsafe-inline`.


We have discovered 1,449 live websites that are affected by CVE-2024-23834.

Contact us to get more info




Affected Software

Product  Discourse
Category Message Boards
Vulnerable Domains1,449 live websites (27.74% of Discourse install base)
Vulnerable Versions
  • from 0 before 3.1.5
  • from 3.2 before 3.2
Vulnerable Versions Count83 versions ( 87.37% of all versions)


Common Weakness Enumeration

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')



Details

  • Published - Jan 30, 2024
  • Updated - Oct 17, 2024

CVE-2024-23834 usage by Country

United States976 websites



Germany124 websites
France77 websites
Singapore41 websites
China33 websites
GB19 websites
Russia15 websites
Netherlands15 websites
Switzerland13 websites

CVE-2024-23834 usage by TLD

.com595 websites
.org230 websites
.net73 websites
.io71 websites
.de30 websites
.fr20 websites
.co17 websites
.ru16 websites
.eu14 websites
.nl12 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2024-23834

Top websites that are affected by CVE-2024-23834. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
*********.***.com France*,***
*********.*******.org United States**,***
******.********.com United States**,***
*********.***************.com United States**,***
*****.******.com United States***,***
*********.**********.de Germany***,***
*****.******.cloud United States***,***
**********.com United States***,***
*********.*********.com ***,***
*********.**********.io United States***,***
See full domain list

FAQ

CVE-2024-23834 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Discourse
A total of 1,449 websites have been identified as vulnerable to CVE-2024-23834, discovered through global website indexing conducted by WebTechSurvey.
Discourse is susceptible to CVE-2024-23834 vulnerability.
Discourse versions before 3.2 are vulnerable to CVE-2024-23834.
Version 3.2 of Discourse addresses the CVE-2024-23834 security vulnerability.