CVE-2024-54142

Cross-site Scripting via Discourse-ai SharedAiConversation onebox in Discourse

CVSS 9.1 CRITICALEPSS 0.4%CWE-79

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.1EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

14 Jan 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation. This issue has been addressed in commit `92f122c`. Users are advised to update. Users unable to update may remove all groups from `ai bot public sharing allowed groups` site setting.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Affected products

discourse · discourse-ai

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/discourse/discourse-ai/commit/92f122c54d9d7ead9223a056270bff5b4c42c73f https://github.com/discourse/discourse-ai/security/advisories/GHSA-94c2-qr2h-88jv