CRITICALCVE-2024-54142CVSS 9.1

CVE-2024-54142: XSS in Discourse AI Plugin

Q: What is CVE-2024-54142 — XSS in Discourse AI?

CVE-2024-54142 is a critical Cross-Site Scripting (XSS) vulnerability in the Discourse AI plugin, allowing malicious HTML entities in AI Bot conversations to be injected into Discourse posts.

Q: Am I affected by CVE-2024-54142 in Discourse AI?

You are affected if you are using the Discourse AI plugin in a version prior to 92f122c.

Q: How do I fix CVE-2024-54142 in Discourse AI?

Upgrade the Discourse AI plugin to version 92f122c or remove all groups from the 'ai bot public sharing allowed groups' site setting.

Q: Is CVE-2024-54142 being actively exploited?

There are currently no confirmed reports of active exploitation, but the high CVSS score suggests a potential for exploitation.

Q: Where can I find the official Discourse advisory for CVE-2024-54142?

Refer to the official Discourse security announcement on their website for details and updates.

Platform

discourse

Component

discourse-ai

Fixed in

92.0.1

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

CVE-2024-54142 is a Cross-Site Scripting (XSS) vulnerability affecting the Discourse AI plugin for Discourse. This vulnerability allows malicious HTML entities within AI Bot conversations to be injected into Discourse posts when oneboxing. The vulnerability impacts versions of Discourse AI plugin prior to 92f122c. A fix has been released in version 92f122c, and users are advised to update immediately.

Impact and Attack Scenarios

An attacker could leverage this XSS vulnerability to inject arbitrary JavaScript code into Discourse posts. This could lead to various malicious outcomes, including stealing user cookies, redirecting users to phishing sites, or defacing the website. The impact is particularly severe because the vulnerability arises from a seemingly innocuous feature – sharing AI Bot conversations. Successful exploitation could compromise user accounts and the integrity of the Discourse platform. The blast radius extends to all users who view posts containing oneboxed AI Bot conversations with malicious HTML entities.

Exploitation Context

This vulnerability was publicly disclosed on 2025-01-14. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's criticality (CVSS 9.1) indicates a high potential for exploitation if a PoC becomes available. It is not currently listed on CISA KEV.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.26% (49% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentdiscourse-ai

Vendordiscourse

Affected rangeFixed in

< 92f122c – < 92f122c92.0.1

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2024-11-29
Published2025-01-14
Modified2025-01-15
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation is to upgrade the Discourse AI plugin to version 92f122c or later, which contains the fix. If upgrading is not immediately feasible, a temporary workaround is to remove all groups from the 'ai bot public sharing allowed groups' site setting. This will prevent the sharing of AI Bot conversations, effectively disabling the vulnerable feature. Monitor Discourse logs for any unusual activity or suspicious JavaScript execution. After upgrading, confirm the fix by attempting to share a conversation containing HTML entities and verifying that the entities are properly sanitized and do not execute as JavaScript.

How to fix

Update the Discourse AI plugin to the latest available version. If you are unable to update, remove all groups from the site setting `ai bot public sharing allowed groups`.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-54142 — XSS in Discourse AI?

CVE-2024-54142 is a critical Cross-Site Scripting (XSS) vulnerability in the Discourse AI plugin, allowing malicious HTML entities in AI Bot conversations to be injected into Discourse posts.

Am I affected by CVE-2024-54142 in Discourse AI?

You are affected if you are using the Discourse AI plugin in a version prior to 92f122c.

How do I fix CVE-2024-54142 in Discourse AI?

Upgrade the Discourse AI plugin to version 92f122c or remove all groups from the 'ai bot public sharing allowed groups' site setting.

Is CVE-2024-54142 being actively exploited?

There are currently no confirmed reports of active exploitation, but the high CVSS score suggests a potential for exploitation.

Where can I find the official Discourse advisory for CVE-2024-54142?

Refer to the official Discourse security announcement on their website for details and updates.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.