Lucene search

K
cvelistGitHub_MCVELIST:CVE-2022-46148
HistoryNov 29, 2022 - 12:00 a.m.

CVE-2022-46148 Discourse allows self-XSS through malicious composer message

2022-11-2900:00:00
CWE-79
GitHub_M
www.cve.org
cve-2022-46148
discourse
self-xss
messaging platform
open-source
versions 2.8.10
prior
stable branch
2.9.0.beta11
beta branch
tests-passed branch
malicious messages
drafts page
full xss
content security policy
patched

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

22.8%

Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the stable branch and versions 2.9.0.beta11 and prior on the beta and tests-passed branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse",
    "versions": [
      {
        "version": "<= 2.8.10",
        "status": "affected"
      },
      {
        "version": ">= 2.9.0.beta1, <= 2.9.0.beta11",
        "status": "affected"
      }
    ]
  }
]

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

22.8%

Related for CVELIST:CVE-2022-46148