Discourse Onebox URL Injection Vulnerability Allowing Arbitrary JavaScript Execution

A vulnerability in Discourse's Onebox feature allows for the execution of arbitrary JavaScript in users' browsers. This issue arises when a maliciously crafted Onebox URL is posted, and it only affects Discourse sites with Content Security Policy (CSP) disabled. The vulnerability is present in Discourse versions stable through 3.3.3, beta through 3.4.0.beta3, and tests-passed through 3.4.0.beta3.

Impact

Exploitation of this vulnerability allows for cross-site scripting (XSS) attacks, where an attacker can execute malicious scripts in the context of the user's browser.

Remediation

Users are advised to upgrade to Discourse versions stable 3.3.4, beta 3.4.0.beta4, or tests-passed 3.4.0.beta4. For those unable to upgrade, it is recommended to enable CSP, disable inline Oneboxes globally, or allow specific domains for Oneboxing.