Plattform
discourse
Komponente
discourse-ai
Behoben in
92.0.1
CVE-2024-54142 describes a Cross-Site Scripting (XSS) vulnerability within the Discourse AI plugin for Discourse. This vulnerability allows malicious HTML entities within AI Bot conversations to be leaked into Discourse posts when oneboxing. The vulnerability affects versions of Discourse AI prior to 92f122c. A fix has been released in commit 92f122c, and users are advised to update.
An attacker could exploit this XSS vulnerability by crafting a Discourse AI Bot conversation containing malicious HTML entities. When this conversation is shared and oneboxed into a Discourse post, the injected script will execute in the context of the user viewing the post. This could lead to various malicious actions, including stealing cookies, redirecting users to phishing sites, or defacing the website. The impact is particularly severe because it affects the entire Discourse community viewing the compromised post, potentially impacting a large number of users.
This vulnerability was publicly disclosed on 2025-01-14. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's criticality (CVSS 9.1) suggests a high potential for exploitation if a POC is developed. It is not currently listed on the CISA KEV catalog.
Discourse installations utilizing the Discourse AI plugin, particularly those with public forums or where AI Bot conversations are frequently shared, are at risk. Shared hosting environments running Discourse are also vulnerable, as the plugin's security depends on the host's overall security posture.
• discourse: Check Discourse logs for unusual JavaScript execution or suspicious URL patterns in post content. • generic web: Use curl/wget to inspect the HTML source code of posts that onebox AI Bot conversations for injected scripts.
curl -s 'https://your-discourse-site.com/t/example-post' | grep -i '<script>' disclosure
Exploit-Status
EPSS
0.26% (49% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-54142 is to upgrade to Discourse AI version 92f122c or later. This version contains a fix that prevents the leakage of malicious HTML entities. If upgrading is not immediately feasible, a temporary workaround is to remove all groups from the ai bot public sharing allowed groups site setting. This will disable the sharing of AI Bot conversations, effectively preventing the vulnerability from being exploited. After upgrading, confirm the fix by sharing a test conversation with known malicious HTML entities and verifying that the script does not execute.
Aktualisieren Sie das Discourse AI-Plugin auf die neueste verfügbare Version. Wenn eine Aktualisierung nicht möglich ist, entfernen Sie alle Gruppen aus der Site-Einstellung `ai bot public sharing allowed groups`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-54142 is a critical Cross-Site Scripting (XSS) vulnerability in the Discourse AI plugin, allowing malicious HTML entities in AI Bot conversations to be injected into Discourse posts.
You are affected if you are using the Discourse AI plugin in a version prior to 92f122c.
Upgrade the Discourse AI plugin to version 92f122c or remove all groups from the 'ai bot public sharing allowed groups' site setting.
There are currently no confirmed reports of active exploitation, but the high CVSS score suggests a potential for exploitation.
Refer to the official Discourse security announcement on their website for details and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.