Discourse vulnerable to Cross-site Scripting through pending post titles descriptions
CVE-2023-22454

8HIGH

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 5 January 2023

What is CVE-2023-22454?

Discourse, a popular open-source discussion platform, contains a vulnerability that allows unprivileged users to exploit pending post titles for cross-site scripting attacks. This flaw is present in versions prior to 2.8.14 on the stable branch and 3.0.0.beta16 on the beta and tests-passed branches. Sites with modified or disabled default Content Security Policies are particularly at risk, as attackers can craft malicious posts which may lead to a full XSS. Immediate patch updates are available for affected versions, and users are strongly advised to upgrade to ensure platform security.

Affected Version(s)

discourse < 2.8.14 < 2.8.14

discourse >= 2.9.0.beta0, < 3.0.0.beta16 < 2.9.0.beta0, 3.0.0.beta16

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

https://github.com/discourse/discourse/commit/c0e2d7badac...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 5, 2023
Vulnerability Reserved
Dec 29, 2022