Discourse vulnerable to Cross-site Scripting through pending post titles descriptions
CVE-2023-22454
8HIGH
Summary
Discourse, a popular open-source discussion platform, contains a vulnerability that allows unprivileged users to exploit pending post titles for cross-site scripting attacks. This flaw is present in versions prior to 2.8.14 on the stable branch and 3.0.0.beta16 on the beta and tests-passed branches. Sites with modified or disabled default Content Security Policies are particularly at risk, as attackers can craft malicious posts which may lead to a full XSS. Immediate patch updates are available for affected versions, and users are strongly advised to upgrade to ensure platform security.
Affected Version(s)
discourse < 2.8.14 < 2.8.14
discourse >= 2.9.0.beta0, < 3.0.0.beta16 < 2.9.0.beta0, 3.0.0.beta16
References
CVSS V3.1
Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved