CVE-2024-54142
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-54142
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-54142.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-54142
- Aliases
-
- GHSA-94c2-qr2h-88jv
- Published
- 2025-01-14T22:39:49.458Z
- Modified
- 2025-12-01T19:46:19.765692Z
- Severity
-
- 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Cross-site Scripting via Discourse-ai SharedAiConversation onebox in Discourse
- Details
-
Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation. This issue has been addressed in commit
92f122c. Users are advised to update. Users unable to update may remove all groups fromai bot public sharing allowed groupssite setting. - Database specific
{ "cwe_ids": [ "CWE-79" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/54xxx/CVE-2024-54142.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/54xxx/CVE-2024-54142.json
- https://github.com/discourse/discourse-ai/commit/92f122c54d9d7ead9223a056270bff5b4c42c73f
- https://github.com/discourse/discourse-ai/security/advisories/GHSA-94c2-qr2h-88jv
- https://nvd.nist.gov/vuln/detail/CVE-2024-54142