Discourse vulnerable to Cross-site Scripting through pending post titles descriptions
CVE-2023-22454

8HIGH

Key Information:

Vendor
Discourse
Status
Vendor
CVE Published:
5 January 2023

Summary

Discourse, a popular open-source discussion platform, contains a vulnerability that allows unprivileged users to exploit pending post titles for cross-site scripting attacks. This flaw is present in versions prior to 2.8.14 on the stable branch and 3.0.0.beta16 on the beta and tests-passed branches. Sites with modified or disabled default Content Security Policies are particularly at risk, as attackers can craft malicious posts which may lead to a full XSS. Immediate patch updates are available for affected versions, and users are strongly advised to upgrade to ensure platform security.

Affected Version(s)

discourse < 2.8.14 < 2.8.14

discourse >= 2.9.0.beta0, < 3.0.0.beta16 < 2.9.0.beta0, 3.0.0.beta16

References

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.