Discourse BBCode plugin vulnerable to arbitrary CSS injection
CVE-2022-46162

8.8HIGH

Key Information:

Vendor: Discourse
Status: Discourse-bbcode
Vendor: CVE Published:; 30 November 2022

Summary

discourse-bbcode is the official BBCode plugin for Discourse. Prior to commit 91478f5, CSS injection can occur when rendering content generated with the discourse-bccode plugin. This vulnerability only affects sites which have the discourse-bbcode plugin installed and enabled. This issue is patched in commit 91478f5. As a workaround, ensure that the Content Security Policy is enabled and monitor any posts that contain bbcode.

Affected Version(s)

discourse-bbcode < 91478f5cfecdcc43cf85b997168a8ecfd0f8df90

References

https://github.com/discourse/discourse-bbcode/security/ad...

https://github.com/discourse/discourse-bbcode/commit/9147...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 30, 2022
Vulnerability Reserved
Nov 28, 2022