CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54142 – Cross-site Scripting via Discourse-ai SharedAiConversation onebox in Discourse
https://notcve.org/view.php?id=CVE-2024-54142
14 Jan 2025 — Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation. This issue has been addressed in commit `92f122c`. Users are advised to update. Users unable to update may remove all groups from `ai bot public sharing allowed groups` site setting. • https://github.com/discourse/discourse-ai/commit/92f122c54d9d7ead9223a056270bff5b4c42c73f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23654 – discourse-ai admin-initiated SSRF when interacting with AI services
https://notcve.org/view.php?id=CVE-2024-23654
21 Feb 2024 — discourse-ai is the AI plugin for the open-source discussion platform Discourse. Prior to commit 94ba0dadc2cf38e8f81c3936974c167219878edd, interactions with different AI services are vulnerable to admin-initiated SSRF attacks. Versions of the plugin that include commit 94ba0dadc2cf38e8f81c3936974c167219878edd contain a patch. As a workaround, one may disable the discourse-ai plugin. discurso-ai es el complemento de inteligencia artificial para la plataforma de discusión de código abierto Discourse. Antes de... • https://github.com/discourse/discourse-ai/commit/94ba0dadc2cf38e8f81c3936974c167219878edd • CWE-918: Server-Side Request Forgery (SSRF) •