Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-52794 PoC — Discourse 跨站脚本漏洞

Source
https://github.com/Beesco00/CVE-2024-52794-Discourse-Stored-XSS
Associated Vulnerability
Title:Discourse 跨站脚本漏洞 (CVE-2024-52794)
Description:Discourse是Discourse开源的一套开源的社区讨论平台。该平台包括社区、电子邮件和聊天室等功能。 Discourse存在跨站脚本漏洞,该漏洞源于用户点击lightbox缩略图时受到影响。
Description
Stored XSS in Discourse via image filename - CVE-2024-52794
Readme
# CVE-2024-52794 – Stored Cross-Site Scripting (XSS) in Discourse

![CVE](https://img.shields.io/badge/CVE-2024--52794-critical?style=flat-square&color=red)
![Platform](https://img.shields.io/badge/Target-Discourse-blue?style=flat-square)
![Bugcrowd](https://img.shields.io/badge/Reported%20via-hackerone-orange?style=flat-square)

---

## Summary

I discovered a stored cross-site scripting (XSS) vulnerability in Discourse, an open-source forum platform. The vulnerability allows an attacker to execute arbitrary JavaScript in the victim’s browser by injecting a malicious payload into the filename of an uploaded image. This affects several user interaction vectors, including public topics, comments, and private messages.

---

## CVE Identifier

- **CVE:** [CVE-2024-52794](https://github.com/discourse/discourse/security/advisories/GHSA-m3v4-v2rp-hfm9)
- **Advisory ID:** [GHSA-m3v4-v2rp-hfm9](https://github.com/discourse/discourse/security/advisories/GHSA-m3v4-v2rp-hfm9)
- **Discovered by:** [Mohand00](https://github.com/Beesco00)
- **Reported via:** [Hackerone](https://hackerone.com/)
- **Date reported:** November 18, 2024

---

## Technical Details

When uploading an image, the filename is rendered without proper sanitization in the frontend. If the filename includes a JavaScript payload, e.g.:

```html
<script>alert(document.domain)</script>
````

...it will be executed when a user clicks the image. This applies to:

* Topics
* Comments
* Direct messages

The vulnerable logic failed to encode or strip script tags from `img` alt attributes or the surrounding markup.

---

## Impact

* Arbitrary JavaScript execution in victim context
* Full session hijacking (via `document.cookie`)
* Account compromise
* Works across multiple user inputs (persistent XSS)

---

## Affected Versions

| Channel      | Versions Affected |
| ------------ | ----------------- |
| Stable       | ≤ 3.3.2           |
| Beta         | ≤ 3.4.0.beta3     |
| Tests-passed | ≤ 3.4.0.beta3     |

---

## Patched Versions

| Channel      | Patched in Version |
| ------------ | ------------------ |
| Stable       | ≥ 3.3.3            |
| Beta         | ≥ 3.4.0.beta4      |
| Tests-passed | ≥ 3.4.0.beta4      |

The issue was addressed by properly sanitizing user-supplied filenames and escaping all dynamic content in image rendering components.

---

## Disclosure Timeline

| Date          | Event                                   |
| ------------  | --------------------------------------  |
| Nov 18, 2024  | Vulnerability reported via hackerone   |
| Dec 19, 2024  | CVE assigned: CVE-2024-52794           |
| Dec 19, 2024  | Public advisory published by Discourse |

---

## References

* [Official Advisory – GHSA-m3v4-v2rp-hfm9](https://github.com/discourse/discourse/security/advisories/GHSA-m3v4-v2rp-hfm9)
* [Discourse GitHub Repository](https://github.com/discourse/discourse)
File Snapshot

 [4.0K]  /data/pocs/e5febb2798534e3e96fcf2af02fab47a43574e30
└── [2.8K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.