Primary

Context

Discourse Stored DOM-Based Cross-Site Scripting Vulnerability via Video Placeholders

Vulnerability

Patched

A stored DOM-based cross-site scripting vulnerability has been identified in Discourse, an open-source community discussion platform. This issue allows attackers to execute arbitrary JavaScript in the browsers of users who view a malicious video placeholder HTML element. The vulnerability exists in versions of Discourse prior to 3.3.4 for the stable branch, prior to 3.4.0.beta4 for the beta branch, and prior to 3.4.0.beta4 for the tests-passed branch. The problem arises only on sites with Content Security Policy (CSP) disabled.

Impact

Exploitation of this vulnerability allows for stored DOM-based cross-site scripting, where injected JavaScript is executed in the context of the user's browser.

Remediation

Users are advised to upgrade to Discourse versions 3.3.4 or later for the stable branch, and 3.4.0.beta4 or later for the beta and tests-passed branches. For users unable to upgrade, enabling Content Security Policy (CSP) is recommended.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

1.7

exploitability

4.7

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

1.7

exploitability

4.7

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Stored DOM-Based Cross-Site Scripting Vulnerability via Video Placeholders

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating