CVE-2024-37165

Discourse has an XSS via Onebox system

Discourse is an open source discussion platform. Prior to 3.2.3 and 3.3.0.beta3, improperly sanitized Onebox data could lead to an XSS vulnerability in some situations. This vulnerability only affects Discourse instances which have disabled the default Content Security Policy. This vulnerability is fixed in 3.2.3 and 3.3.0.beta3.


We have discovered 1,754 live websites that are affected by CVE-2024-37165.

Contact us to get more info




Affected Software

Product  Discourse
Category Message Boards
Vulnerable Domains1,754 live websites (33.58% of Discourse install base)
Vulnerable Versions
  • from 0 before 3.2.3
  • from 3.3 before 3.3
Vulnerable Versions Count87 versions ( 91.58% of all versions)


Common Weakness Enumeration

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')



Details

  • Published - Jul 30, 2024
  • Updated - Aug 2, 2024

CVE-2024-37165 usage by Country

United States1,139 websites



Germany177 websites
France88 websites
Singapore50 websites
China39 websites
GB25 websites
Japan23 websites
Netherlands21 websites
Switzerland19 websites

CVE-2024-37165 usage by TLD

.com716 websites
.org277 websites
.net94 websites
.io84 websites
.de37 websites
.fr23 websites
.ru21 websites
.eu18 websites
.co17 websites
.nl14 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2024-37165

Top websites that are affected by CVE-2024-37165. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
*********.***.com France*,***
*********.*******.org United States**,***
******.********.com United States**,***
*********.***************.com United States**,***
*****.******.com United States***,***
*********.**********.de Germany***,***
*****.******.cloud United States***,***
**********.com United States***,***
*********.*********.com ***,***
*********.**********.io United States***,***
See full domain list

FAQ

CVE-2024-37165 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Discourse
A total of 1,754 websites have been identified as vulnerable to CVE-2024-37165, discovered through global website indexing conducted by WebTechSurvey.
Discourse is susceptible to CVE-2024-37165 vulnerability.
Discourse versions before 3.3 are vulnerable to CVE-2024-37165.
Version 3.3 of Discourse addresses the CVE-2024-37165 security vulnerability.