CVE-2023-32061
MEDIUMDiscourse < 3.0.4 - Unauthenticated Comment Hiding via iFrame Tag
Title source: llmDescription
Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, the lack of restrictions on the iFrame tag makes it easy for an attacker to exploit the vulnerability and hide subsequent comments from other users. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. There are no known workarounds.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-prx4-49m8-874g
Scores
CVSS v3
5.4
EPSS
0.0008
EPSS Percentile
22.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (2)
discourse/discourse
3.1.0 beta1 (4 CPE variants)
discourse/discourse
< 3.0.4
Published
Jun 13, 2023
Tracked Since
Feb 18, 2026