Login Sign Up

CVE-2024-56328

6.5 MEDIUM
Cross-Site Scripting

📋 TL;DR

This CVE allows attackers to execute arbitrary JavaScript in users' browsers by posting malicious onebox URLs in Discourse forums. It affects Discourse sites with Content Security Policy (CSP) disabled. Attackers can steal session cookies, redirect users, or perform other malicious actions.

💻 Affected Systems

Products:
  • Discourse
Versions: All versions before the patch
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only affects Discourse installations with CSP disabled. CSP is enabled by default in Discourse.

📦 What is this software?

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal admin session cookies, take over forum administration, and compromise all user accounts and data.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, post spam/malicious content, or redirect users to phishing sites.

🟢

If Mitigated

With CSP enabled or patches applied, the vulnerability is prevented and no impact occurs.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires posting privileges on the forum. The advisory provides technical details but no public exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Latest version of Discourse

Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-j855-mhxj-x6vg

Restart Required: Yes

Instructions:

1. Update Discourse to the latest version via standard update procedures. 2. Restart the Discourse application. 3. Verify CSP remains enabled.

🔧 Temporary Workarounds

Enable Content Security Policy

all

Enable CSP in Discourse configuration to prevent the XSS attack

Set `Content Security Policy` to enabled in Discourse admin settings

Disable Inline Oneboxes Globally

all

Prevent onebox rendering for all URLs to eliminate the attack vector

Set `disable inline oneboxes` to true in Discourse admin settings

🧯 If You Can't Patch

  • Enable Content Security Policy in Discourse configuration
  • Restrict oneboxing to specific trusted domains only

🔍 How to Verify

Check if Vulnerable:

Check if CSP is disabled in Discourse admin settings and version is unpatched

Check Version:

Check Discourse admin dashboard or run `git log --oneline -1` in Discourse directory

Verify Fix Applied:

Verify Discourse is updated to latest version and CSP is enabled

📡 Detection & Monitoring

Log Indicators:

  • Unusual onebox URL patterns in post logs
  • Multiple failed CSP violation reports

Network Indicators:

  • Unexpected JavaScript execution from onebox URLs
  • CSP violation reports in browser consoles

SIEM Query:

Search for posts containing unusual URL patterns or CSP violation events

📊 Metadata

CVE ID: CVE-2024-56328
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CWE: CWE-79
EPSS Score: 0.14% exploit probability (33.6th percentile)
Published: February 4, 2025
Last Updated: September 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56328, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)