CVE-2023-37467

Summary

CVE-2023-37467 is a vulnerability that affects the Discourse open source discussion platform. Specifically, versions prior to 3.1.0.beta7 of the 'beta' and 'tests-passed' branches are vulnerable to a Content Security Policy (CSP) nonce reuse vulnerability. This vulnerability could potentially allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous users. While there are currently no known XSS vectors, if one is discovered, it could successfully execute an XSS attack bypassing CSP. The vulnerability does not affect logged-in users. To remediate this vulnerability, users can update to version 3.1.0.beta7, which contains a patch. Alternatively, disabling Google Tag Manager by unsetting the 'gtm container id' setting can serve as a workaround to prevent the vulnerability. Organizations should be aware of the potential danger this vulnerability poses in terms of enabling successful XSS attacks against their platform and take appropriate steps to mitigate it.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.