Lucene search

K
osvGoogleOSV:BIT-DISCOURSE-2022-46148
HistoryMar 06, 2024 - 11:02 a.m.

BIT-discourse-2022-46148

2024-03-0611:02:57
Google
osv.dev
1
open-source
messaging platform
self-xss
vulnerability
patched
discourse
content security policy

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

5.9

Confidence

High

EPSS

0.001

Percentile

22.8%

Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the stable branch and versions 2.9.0.beta11 and prior on the beta and tests-passed branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

5.9

Confidence

High

EPSS

0.001

Percentile

22.8%

Related for OSV:BIT-DISCOURSE-2022-46148