Lucene search

GitHub_MCVELIST:CVE-2022-46162

HistoryNov 30, 2022 - 12:00 a.m.

CVE-2022-46162 Discourse BBCode plugin vulnerable to arbitrary CSS injection

2022-11-3000:00:00

CWE-74

GitHub_M

www.cve.org

cve-2022-46162

discourse bbcode plugin

arbitrary css injection

vulnerability

css injection

rendering content

discourse-bbcode

commit 91478f5

content security policy

enabled

monitor posts

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

59.7%

JSON

discourse-bbcode is the official BBCode plugin for Discourse. Prior to commit 91478f5, CSS injection can occur when rendering content generated with the discourse-bccode plugin. This vulnerability only affects sites which have the discourse-bbcode plugin installed and enabled. This issue is patched in commit 91478f5. As a workaround, ensure that the Content Security Policy is enabled and monitor any posts that contain bbcode.

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse-bbcode",
    "versions": [
      {
        "version": "< 91478f5cfecdcc43cf85b997168a8ecfd0f8df90",
        "status": "affected"
      }
    ]
  }
]

References

github.com/discourse/discourse-bbcode/commit/91478f5cfecdcc43cf85b997168a8ecfd0f8df90

github.com/discourse/discourse-bbcode/security/advisories/GHSA-8c87-xpqv-c7mp

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

59.7%

JSON

Related for CVELIST:CVE-2022-46162