Discourse Content Security Policy Nonce Reuse Vulnerability Allowing Cross-Site Scripting Bypass

A vulnerability in Discourse prior to version 3.1.0.beta7 in the 'beta' and 'tests-passed' branches allows for the reuse of Content Security Policy (CSP) nonces. This issue could enable cross-site scripting (XSS) attacks to bypass CSP protections for anonymous users. While no XSS vectors are currently known, the vulnerability could be exploited if such a vector were discovered. The stable branch of Discourse is not affected by this vulnerability.

Impact

Exploitation of this vulnerability could lead to successful cross-site scripting attacks that bypass Content Security Policy protections, specifically for anonymous users.

Reproduction

The vulnerability can be reproduced by enabling Google Tag Manager and accessing the application as an anonymous user. This will allow the CSP nonce to be reused, creating a potential vector for XSS attacks to bypass CSP protections.

Remediation

Users can update to Discourse version 3.1.0.beta7 or later. If an immediate update is not possible, Google Tag Manager can be disabled as a temporary workaround.