<svg xmlns="http://www.w3.org/200/svg">; <script> alert('This is a CVE-2023-30538 vulnerability test!'); </script> </svg>
To fix this issue, the Discourse team has already patched the vulnerability in the latest stable and tests-passed versions of their platform. It is highly recommended for users to upgrade to these patched versions.
For users who cannot upgrade their platform right away, there are two possible workarounds
1. Enable CDN handling of uploads: It is advisable to use a Content Delivery Network (CDN) to handle user file uploads, which sanitizes SVG files before making them available to users.
2. Disable SVG file uploads: Make sure that the authorized extensions site setting does not include svg. You may also reset the setting to its default configuration, as Discourse does not enable SVG uploads by users by default.
For more information on this vulnerability and its mitigation, you can refer to the following links
1. Discourse's official announcement about the vulnerability: Discourse CVE Announcement
2. Technical details of the vulnerability from the NIST National Vulnerability Database: NVD - CVE-2023-30538
It is of utmost importance to keep security issues and vulnerabilities in mind while using any software, especially an open-source platform like Discourse. Make sure to apply the recommended patches, use reliable CDNs, and configure settings appropriately to stay safe from this vulnerability, CVE-2023-30538.
Published on: 04/18/2023 22:15:00 UTC
Last modified on: 04/28/2023 03:50:00 UTC