Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, pending post titles can be used for cross-site scripting attacks. Pending posts can be created by unprivileged users when a category has the "require moderator approval of all new topics" setting set. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. A patch is available in versions 2.8.14 and 3.0.0.beta16.
Attack Vector Network
Attack Complexity Low
Privileges Required None
Scope Changed
Confidentiality Impact Low
Integrity Impact Low
Availability Impact None
User Interaction Required
No CVSS v3.0
No CVSS v2
Vendors | Products |
---|---|
Discourse |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
References
Link | Resource |
---|---|
https://github.com/discourse/discourse/commit/c0e2d7badac276d82a4056a994b48d68a8993a12 | Patch Third Party Advisory |
https://github.com/discourse/discourse/security/advisories/GHSA-ggq4-4qxc-c462 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-01-05T19:58:36.355Z
Updated:
Reserved: 2022-12-29T03:00:40.877Z
Link: CVE-2023-22454
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-01-05T20:15:18.900
Modified: 2023-01-13T16:02:09.070
Link: CVE-2023-22454
JSON object: View
Redhat Information
No data.
CWE