Lucene search

K
nvd[email protected]NVD:CVE-2022-46148
HistoryNov 29, 2022 - 5:15 p.m.

CVE-2022-46148

2022-11-2917:15:11
CWE-79
web.nvd.nist.gov
discourse
self-xss
vulnerability
versions 2.8.10 2.9.0.beta11
content security policy

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

22.8%

Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the stable branch and versions 2.9.0.beta11 and prior on the beta and tests-passed branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Affected configurations

NVD
Node
discoursediscourseRange≀2.8.10
OR
discoursediscourseMatch2.9.0beta1
OR
discoursediscourseMatch2.9.0beta10
OR
discoursediscourseMatch2.9.0beta11
OR
discoursediscourseMatch2.9.0beta2
OR
discoursediscourseMatch2.9.0beta3
OR
discoursediscourseMatch2.9.0beta4
OR
discoursediscourseMatch2.9.0beta5
OR
discoursediscourseMatch2.9.0beta6
OR
discoursediscourseMatch2.9.0beta7
OR
discoursediscourseMatch2.9.0beta8

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

22.8%

Related for NVD:CVE-2022-46148