CVE-2024-39320
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
Summary
A vulnerability in Discourse, an open source discussion platform, allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability affects versions prior to 3.2.5 and 3.3.0.beta5.
Impact
This vulnerability could allow attackers to bypass security restrictions and inject malicious content from any domain into the Discourse platform. This could lead to cross-site scripting (XSS) attacks, potentially compromising user data, session hijacking, or phishing attacks. The CVSS v3.1 base score is 6.1 (High), with low impact on confidentiality and integrity, but no direct impact on availability. The attack vector is network-based, requires low attack complexity, and no privileges, but does require user interaction.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. The vulnerability has been fixed in Discourse versions 3.2.5 and 3.3.0.beta5.
Mitigation
1. Update Discourse to version 3.2.5 or 3.3.0.beta5 or later. 2. If immediate updating is not possible, consider temporarily disabling or restricting the use of iframes in Discourse until the update can be applied. 3. Implement strong Content Security Policies (CSP) to restrict the sources of content that can be loaded. 4. Educate users about the risks of clicking on unfamiliar content or links within the Discourse platform. 5. Monitor for any suspicious activity or unexpected iframe content on your Discourse instance.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Timeline
Feedly found the first article mentioning CVE-2024-39320. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-39320
A CVSS base score of 6.1 has been assigned.
Feedly estimated the CVSS score as MEDIUM
EPSS Score was set to: 0.05% (Percentile: 16.2%)