Lucene search
HistoryJan 05, 2023 - 8:15 p.m.
CVE-2023-22454
discourse
xss
pending posts
content security policy
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7.4 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
25.3%
Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 3.0.0.beta16 on the beta and tests-passed branches, pending post titles can be used for cross-site scripting attacks. Pending posts can be created by unprivileged users when a category has the βrequire moderator approval of all new topicsβ setting set. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourseβs default Content Security Policy. A patch is available in versions 2.8.14 and 3.0.0.beta16.
Affected configurations
Node
discoursediscourseRange<2.8.14stable
Node
discoursediscourseMatch1.1.0beta1beta
ORdiscoursediscourseMatch1.1.0beta2beta
ORdiscoursediscourseMatch1.1.0beta3beta
ORdiscoursediscourseMatch1.1.0beta4beta
ORdiscoursediscourseMatch1.1.0beta5beta
ORdiscoursediscourseMatch1.1.0beta6beta
ORdiscoursediscourseMatch1.1.0beta6bbeta
ORdiscoursediscourseMatch1.1.0beta7beta
ORdiscoursediscourseMatch1.1.0beta8beta
ORdiscoursediscourseMatch1.2.0beta1beta
ORdiscoursediscourseMatch1.2.0beta2beta
ORdiscoursediscourseMatch1.2.0beta3beta
ORdiscoursediscourseMatch1.2.0beta4beta
ORdiscoursediscourseMatch1.2.0beta5beta
ORdiscoursediscourseMatch1.2.0beta6beta
ORdiscoursediscourseMatch1.2.0beta7beta
ORdiscoursediscourseMatch1.2.0beta8beta
ORdiscoursediscourseMatch1.2.0beta9beta
ORdiscoursediscourseMatch1.3.0beta1beta
ORdiscoursediscourseMatch1.3.0beta10beta
ORdiscoursediscourseMatch1.3.0beta11beta
ORdiscoursediscourseMatch1.3.0beta2beta
ORdiscoursediscourseMatch1.3.0beta3beta
ORdiscoursediscourseMatch1.3.0beta4beta
ORdiscoursediscourseMatch1.3.0beta5beta
ORdiscoursediscourseMatch1.3.0beta6beta
ORdiscoursediscourseMatch1.3.0beta7beta
ORdiscoursediscourseMatch1.3.0beta8beta
ORdiscoursediscourseMatch1.3.0beta9beta
ORdiscoursediscourseMatch1.4.0beta1beta
ORdiscoursediscourseMatch1.4.0beta10beta
ORdiscoursediscourseMatch1.4.0beta11beta
ORdiscoursediscourseMatch1.4.0beta12beta
ORdiscoursediscourseMatch1.4.0beta2beta
ORdiscoursediscourseMatch1.4.0beta3beta
ORdiscoursediscourseMatch1.4.0beta4beta
ORdiscoursediscourseMatch1.4.0beta5beta
ORdiscoursediscourseMatch1.4.0beta6beta
ORdiscoursediscourseMatch1.4.0beta7beta
ORdiscoursediscourseMatch1.4.0beta8beta
ORdiscoursediscourseMatch1.4.0beta9beta
ORdiscoursediscourseMatch1.5.0beta1beta
ORdiscoursediscourseMatch1.5.0beta10beta
ORdiscoursediscourseMatch1.5.0beta11beta
ORdiscoursediscourseMatch1.5.0beta12beta
ORdiscoursediscourseMatch1.5.0beta13beta
ORdiscoursediscourseMatch1.5.0beta13bbeta
ORdiscoursediscourseMatch1.5.0beta14beta
ORdiscoursediscourseMatch1.5.0beta2beta
ORdiscoursediscourseMatch1.5.0beta3beta
ORdiscoursediscourseMatch1.5.0beta4beta
ORdiscoursediscourseMatch1.5.0beta5beta
ORdiscoursediscourseMatch1.5.0beta6beta
ORdiscoursediscourseMatch1.5.0beta7beta
ORdiscoursediscourseMatch1.5.0beta8beta
ORdiscoursediscourseMatch1.5.0beta9beta
ORdiscoursediscourseMatch1.6.0beta1beta
ORdiscoursediscourseMatch1.6.0beta10beta
ORdiscoursediscourseMatch1.6.0beta11beta
ORdiscoursediscourseMatch1.6.0beta12beta
ORdiscoursediscourseMatch1.6.0beta2beta
ORdiscoursediscourseMatch1.6.0beta3beta
ORdiscoursediscourseMatch1.6.0beta4beta
ORdiscoursediscourseMatch1.6.0beta5beta
ORdiscoursediscourseMatch1.6.0beta6beta
ORdiscoursediscourseMatch1.6.0beta7beta
ORdiscoursediscourseMatch1.6.0beta8beta
ORdiscoursediscourseMatch1.6.0beta9beta
ORdiscoursediscourseMatch1.7.0beta1beta
ORdiscoursediscourseMatch1.7.0beta10beta
ORdiscoursediscourseMatch1.7.0beta11beta
ORdiscoursediscourseMatch1.7.0beta2beta
ORdiscoursediscourseMatch1.7.0beta3beta
ORdiscoursediscourseMatch1.7.0beta4beta
ORdiscoursediscourseMatch1.7.0beta5beta
ORdiscoursediscourseMatch1.7.0beta6beta
ORdiscoursediscourseMatch1.7.0beta7beta
ORdiscoursediscourseMatch1.7.0beta8beta
ORdiscoursediscourseMatch1.7.0beta9beta
ORdiscoursediscourseMatch1.8.0beta1beta
ORdiscoursediscourseMatch1.8.0beta10beta
ORdiscoursediscourseMatch1.8.0beta11beta
ORdiscoursediscourseMatch1.8.0beta12beta
ORdiscoursediscourseMatch1.8.0beta13beta
ORdiscoursediscourseMatch1.8.0beta2beta
ORdiscoursediscourseMatch1.8.0beta3beta
ORdiscoursediscourseMatch1.8.0beta4beta
ORdiscoursediscourseMatch1.8.0beta5beta
ORdiscoursediscourseMatch1.8.0beta6beta
ORdiscoursediscourseMatch1.8.0beta7beta
ORdiscoursediscourseMatch1.8.0beta8beta
ORdiscoursediscourseMatch1.8.0beta9beta
ORdiscoursediscourseMatch1.9.0beta1beta
ORdiscoursediscourseMatch1.9.0beta10beta
ORdiscoursediscourseMatch1.9.0beta11beta
ORdiscoursediscourseMatch1.9.0beta12beta
ORdiscoursediscourseMatch1.9.0beta13beta
ORdiscoursediscourseMatch1.9.0beta14beta
ORdiscoursediscourseMatch1.9.0beta15beta
ORdiscoursediscourseMatch1.9.0beta16beta
ORdiscoursediscourseMatch1.9.0beta17beta
ORdiscoursediscourseMatch1.9.0beta2beta
ORdiscoursediscourseMatch1.9.0beta3beta
ORdiscoursediscourseMatch1.9.0beta4beta
ORdiscoursediscourseMatch1.9.0beta5beta
ORdiscoursediscourseMatch1.9.0beta6beta
ORdiscoursediscourseMatch1.9.0beta7beta
ORdiscoursediscourseMatch1.9.0beta8beta
ORdiscoursediscourseMatch1.9.0beta9beta
ORdiscoursediscourseMatch2.0.0beta1beta
ORdiscoursediscourseMatch2.0.0beta10beta
ORdiscoursediscourseMatch2.0.0beta2beta
ORdiscoursediscourseMatch2.0.0beta3beta
ORdiscoursediscourseMatch2.0.0beta4beta
ORdiscoursediscourseMatch2.0.0beta5beta
ORdiscoursediscourseMatch2.0.0beta6beta
ORdiscoursediscourseMatch2.0.0beta7beta
ORdiscoursediscourseMatch2.0.0beta8beta
ORdiscoursediscourseMatch2.0.0beta9beta
ORdiscoursediscourseMatch2.1.0beta1beta
ORdiscoursediscourseMatch2.1.0beta2beta
ORdiscoursediscourseMatch2.1.0beta3beta
ORdiscoursediscourseMatch2.1.0beta4beta
ORdiscoursediscourseMatch2.1.0beta5beta
ORdiscoursediscourseMatch2.1.0beta6beta
ORdiscoursediscourseMatch2.2.0beta1beta
ORdiscoursediscourseMatch2.2.0beta10beta
ORdiscoursediscourseMatch2.2.0beta2beta
ORdiscoursediscourseMatch2.2.0beta3beta
ORdiscoursediscourseMatch2.2.0beta4beta
ORdiscoursediscourseMatch2.2.0beta5beta
ORdiscoursediscourseMatch2.2.0beta6beta
ORdiscoursediscourseMatch2.2.0beta7beta
ORdiscoursediscourseMatch2.2.0beta8beta
ORdiscoursediscourseMatch2.2.0beta9beta
ORdiscoursediscourseMatch2.3.0beta1beta
ORdiscoursediscourseMatch2.3.0beta10beta
ORdiscoursediscourseMatch2.3.0beta11beta
ORdiscoursediscourseMatch2.3.0beta2beta
ORdiscoursediscourseMatch2.3.0beta3beta
ORdiscoursediscourseMatch2.3.0beta4beta
ORdiscoursediscourseMatch2.3.0beta5beta
ORdiscoursediscourseMatch2.3.0beta6beta
ORdiscoursediscourseMatch2.3.0beta7beta
ORdiscoursediscourseMatch2.3.0beta8beta
ORdiscoursediscourseMatch2.3.0beta9beta
ORdiscoursediscourseMatch2.4.0beta1beta
ORdiscoursediscourseMatch2.4.0beta10beta
ORdiscoursediscourseMatch2.4.0beta11beta
ORdiscoursediscourseMatch2.4.0beta2beta
ORdiscoursediscourseMatch2.4.0beta3beta
ORdiscoursediscourseMatch2.4.0beta4beta
ORdiscoursediscourseMatch2.4.0beta5beta
ORdiscoursediscourseMatch2.4.0beta6beta
ORdiscoursediscourseMatch2.4.0beta7beta
ORdiscoursediscourseMatch2.4.0beta8beta
ORdiscoursediscourseMatch2.4.0beta9beta
ORdiscoursediscourseMatch2.5.0beta1beta
ORdiscoursediscourseMatch2.5.0beta2beta
ORdiscoursediscourseMatch2.5.0beta3beta
ORdiscoursediscourseMatch2.5.0beta4beta
ORdiscoursediscourseMatch2.5.0beta5beta
ORdiscoursediscourseMatch2.5.0beta6beta
ORdiscoursediscourseMatch2.5.0beta7beta
ORdiscoursediscourseMatch2.6.0beta1beta
ORdiscoursediscourseMatch2.6.0beta2beta
ORdiscoursediscourseMatch2.6.0beta3beta
ORdiscoursediscourseMatch2.6.0beta4beta
ORdiscoursediscourseMatch2.6.0beta5beta
ORdiscoursediscourseMatch2.6.0beta6beta
ORdiscoursediscourseMatch2.7.0beta1beta
ORdiscoursediscourseMatch2.7.0beta2beta
ORdiscoursediscourseMatch2.7.0beta3beta
ORdiscoursediscourseMatch2.7.0beta4beta
ORdiscoursediscourseMatch2.7.0beta5beta
ORdiscoursediscourseMatch2.7.0beta6beta
ORdiscoursediscourseMatch2.7.0beta7beta
ORdiscoursediscourseMatch2.7.0beta8beta
ORdiscoursediscourseMatch2.7.0beta9beta
ORdiscoursediscourseMatch2.8.0beta1beta
ORdiscoursediscourseMatch2.8.0beta10beta
ORdiscoursediscourseMatch2.8.0beta11beta
ORdiscoursediscourseMatch2.8.0beta2beta
ORdiscoursediscourseMatch2.8.0beta3beta
ORdiscoursediscourseMatch2.8.0beta4beta
ORdiscoursediscourseMatch2.8.0beta5beta
ORdiscoursediscourseMatch2.8.0beta6beta
ORdiscoursediscourseMatch2.8.0beta7beta
ORdiscoursediscourseMatch2.8.0beta8beta
ORdiscoursediscourseMatch2.8.0beta9beta
ORdiscoursediscourseMatch2.9.0beta1beta
ORdiscoursediscourseMatch2.9.0beta10beta
ORdiscoursediscourseMatch2.9.0beta11beta
ORdiscoursediscourseMatch2.9.0beta12beta
ORdiscoursediscourseMatch2.9.0beta13beta
ORdiscoursediscourseMatch2.9.0beta14beta
ORdiscoursediscourseMatch2.9.0beta2beta
ORdiscoursediscourseMatch2.9.0beta3beta
ORdiscoursediscourseMatch2.9.0beta4beta
ORdiscoursediscourseMatch2.9.0beta5beta
ORdiscoursediscourseMatch2.9.0beta6beta
ORdiscoursediscourseMatch2.9.0beta7beta
ORdiscoursediscourseMatch2.9.0beta8beta
ORdiscoursediscourseMatch2.9.0beta9beta
ORdiscoursediscourseMatch3.0.0beta15beta
Related
cvelist
cvelist
prion
prion
Cross site scripting
2023-01-05 20:15:00
osv
osv
CVE-2023-22454
2023-01-05 20:15:18
BIT-discourse-2023-22454
2024-03-06 11:01:50
cve
cve
CVE-2023-22454
2023-01-05 20:15:18
openvas
openvas
Discourse < 3.0.0.beta16 Multiple Vulnerabilities
2023-01-06 00:00:00
Discourse < 2.8.14 Multiple Vulnerability
2022-12-05 00:00:00
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7.4 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
25.3%
Related for NVD:CVE-2023-22454