CVE-2022-46148

Published: Nov 29, 2022Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the `stable` branch and versions 2.9.0.beta11 and prior on the `beta` and `tests-passed` branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Affected (11)

Products: Discourse: Discourse

Discourse

1 product

Discourse

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	Up to 2.8.10
Discourse Discourse	Version 2.9.0 beta10
Discourse Discourse	Version 2.9.0 beta11
Discourse Discourse	Version 2.9.0 beta1
Discourse Discourse	Version 2.9.0 beta2
Discourse Discourse	Version 2.9.0 beta3
Discourse Discourse	Version 2.9.0 beta4
Discourse Discourse	Version 2.9.0 beta5
Discourse Discourse	Version 2.9.0 beta6
Discourse Discourse	Version 2.9.0 beta7
Discourse Discourse	Version 2.9.0 beta8

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/discourse/discourse/security/advisories/GHSA-c5h6-6gg5-84fh

Source: security-advisories@github.com

Third Party Advisory

https://github.com/discourse/discourse/security/advisories/GHSA-c5h6-6gg5-84fh

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.