Lucene search

[email protected]NVD:CVE-2022-46148

HistoryNov 29, 2022 - 5:15 p.m.

CVE-2022-46148

2022-11-2917:15:11

CWE-79

[email protected]

web.nvd.nist.gov

discourse

self-xss

vulnerability

versions 2.8.10 2.9.0.beta11

content security policy

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

22.8%

JSON

Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the stable branch and versions 2.9.0.beta11 and prior on the beta and tests-passed branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Affected configurations

Nvd

Node

discoursediscourseRange≤2.8.10

discoursediscourseMatch2.9.0beta1

discoursediscourseMatch2.9.0beta10

discoursediscourseMatch2.9.0beta11

discoursediscourseMatch2.9.0beta2

discoursediscourseMatch2.9.0beta3

discoursediscourseMatch2.9.0beta4

discoursediscourseMatch2.9.0beta5

discoursediscourseMatch2.9.0beta6

discoursediscourseMatch2.9.0beta7

discoursediscourseMatch2.9.0beta8

References

github.com/discourse/discourse/security/advisories/GHSA-c5h6-6gg5-84fh