CVE-2024-39320

Discourse allows iframe injection though default site setting

Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.


We have discovered 1,781 live websites that are affected by CVE-2024-39320.

Contact us to get more info




Affected Software

Product  Discourse
Category Message Boards
Vulnerable Domains1,781 live websites (34.09% of Discourse install base)
Vulnerable Versions
  • from 0 before 3.2.5
  • from 3.3 before 3.3
Vulnerable Versions Count89 versions ( 93.68% of all versions)


Common Weakness Enumeration

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')



Details

  • Published - Jul 30, 2024
  • Updated - Aug 2, 2024

CVE-2024-39320 usage by Country

United States1,152 websites



Germany188 websites
France89 websites
Singapore50 websites
China39 websites
GB26 websites
Japan23 websites
Netherlands21 websites
Switzerland20 websites

CVE-2024-39320 usage by TLD

.com726 websites
.org281 websites
.net97 websites
.io84 websites
.de40 websites
.fr24 websites
.ru21 websites
.co18 websites
.eu18 websites
.com.br14 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2024-39320

Top websites that are affected by CVE-2024-39320. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
*********.***.com France*,***
*********.*******.org United States**,***
******.********.com United States**,***
*********.***************.com United States**,***
*****.******.com United States***,***
*********.**********.de Germany***,***
*****.******.cloud United States***,***
**********.com United States***,***
*********.*********.com ***,***
*********.**********.io United States***,***
See full domain list

FAQ

CVE-2024-39320 is Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in Discourse
A total of 1,781 websites have been identified as vulnerable to CVE-2024-39320, discovered through global website indexing conducted by WebTechSurvey.
Discourse is susceptible to CVE-2024-39320 vulnerability.
Discourse versions before 3.3 are vulnerable to CVE-2024-39320.
Version 3.3 of Discourse addresses the CVE-2024-39320 security vulnerability.